Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Do not enable HSTS by default
See original GitHub issueFeature request
Currently, HSTS is enabled by default with a very long period, subdomains included, and preload enabled. This has some problems:
- A user may not know what HSTS means, and accidentally ruined all his non-HTTPS subdomains by using the generated config.
- The max-age is too long. For anyone who want to try HSTS, he should start by using short periods to test.
- If a user added two sites: “example.com” and “foo.example.com”, and explicitly disabled HSTS for “foo.example.com”, it still gets HSTS by default because “example.com” enabled HSTS for all subdomains by default. This behavior is just wrong.
- Preloading should be opt-in. If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default.
So, my suggestion is to disable HSTS by default (or at least warn people about includeSubDomains). User should only enable HSTS if they know what they are doing.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
HTTP Strict Transport Security - The HTTPS-Only Standard
When a browser knows that a domain has enabled HSTS, it does two things: Always uses an https:// connection, even when clicking on...
Read more >Strict-Transport-Security - HTTP - MDN Web Docs
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using ...
Read more >How to Enable HTTP Strict Transport Security (HSTS) Policy
This KB will demonstrate the steps for enabling the HTTP (HSTS) policy for your website including what they are and why they are...
Read more >HTTP Strict Transport Security (HSTS) - Cloudflare Docs
Enable HSTS (Strict-Transport-Security), Yes, Serves HSTS headers to browsers for all HTTPS requests. HTTP (non-secure) requests will not ...
Read more >How To Fix the “HSTS Missing From HTTPS Server” Error (in 5 ...
There's a chance you may not have encountered this error but are still concerned about HSTS. If you're unsure whether you have HSTS...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
HSTS is a huge step in the right direction for a more secure web – most sites now use HTTPS by default, some TLDs even have HSTS forced (.dev for example), so I think it is right for a tool designed to provide the best practices to default to having HSTS enabled.
The max-age on HSTS is recommended to generally be long, somewhere in the range of 120 days to a year. nginxconfig is designed to apply the best practices to the generated nginx config files, so we use 1 year for the max-age on the HSTS header.
However, I do agree about the dangers of not correctly explaining the use of
includeSubDomainsas well enablingpreloadby default (these decisions predate me working on the project) – I think we can address theincludeSubDomainsissue by adding some explainer text next to that setting for those that may need HTTP subdomains, and we can makepreloaddisabled by default.Should be fixed as soon as the latest push deploys: