TODO: HSTS support

[junkurihara]

RFC: https://datatracker.ietf.org/doc/html/rfc6797

Any idea of a configuration directive specifying HSTS for an app in TOML file?

[paulocoghi]

Looking into the security headers on Traefik documentation and examples (here), as well as this user suggestion, this could be one idea:

[http.exampleContext]
  
  [http.exampleContext.security.headers]
    forceSTSHeader = true
    stsIncludeSubdomains = true
    stsPreload = true
    stsSeconds=15552000

[paulocoghi]

But I don't like the idea of forceSTSHeader but, instead, something simpler like STSHeader

[junkurihara]

Hi Paulo, thanks!

I think it makes sense. max-age (seconds), include_subdomains and preload need to be explicitly specified. But rpxy should enable HSTS only when the HSTS directive (e.g., [experiments.hsts]?) exists.

[junkurihara]

Also IMHO, HSTS does not need to be controlled separately for each backend applications. I mean it should be a global option for rpxy to keep the config file as simple as possible.

Or should we need such a flexibility for the settings of backend applications?

[Gamerboy59]

Or should we need such a flexibility for the settings of backend applications?

Except for legacy compatibility, I see no benefit in per upstream configuration. HSTS is on its way to be the standard and a global configuration ensures this uniform security policies across all backend applications.

[akostadinov]

Probably as a first step this can be enabled whenever https redirection is configured. Not sure about stsIncludeSubdomains though. Maybe that deserves a separate upstream option. It might be on by default, that's fine in case you believe this should be the standard. But other than that, whether you add a new global option or a new per-upstream option, the complexity of configuration is the same. But flexibility of the configuration is much higher when per-upstream.