add STS headers to SSL-only sites (SSL strict mode) [#986312]

In "SSL-required" mode, we should also ship the STS headers to indicate to compatible browsers (firefox 4, firefox+noscript, chromium) that we should never be accessed without SSL. This is called the Strict Transport Security (STS) mode and is documented here:

http://en.wikipedia.org/wiki/Strict_Transport_Security

Here is some sample apache.conf code:

    # Add six earth month HSTS header for all users...
    Header add Strict-Transport-Security "max-age=15768000"
    # If you want to protect all subdomains, use the following header
    # Strict-Transport-Security: max-age=15768000 ; includeSubDomains

... stolen from: https://github.com/ioerror/duraconf/blob/master/configs/apache2/https-hs...

... which varies a little from the canonical wikipedia example:

Header set Strict-Transport-Security "max-age=500"
Header append Strict-Transport-Security includeSubDomains

Comments

Comment #1

omega8cc CreditAttribution: omega8cc commented 1 December 2010 at 16:44

For Nginx it will be:

### Strict Transport Security (ForceHTTPS)
    add_header Strict-Transport-Security "max-age=500; includeSubdomains";

Good idea, IMO, but max-age should be rather short (a few minutes) to avoid issues if the Required mode will be enabled by mistake and admin will revert to Enabled only.

Comment #2

anarcat CreditAttribution: anarcat commented 1 December 2010 at 17:11

Good.

I think max-age shouldn't be so short, otherwise this becomes much less useful. One way of making sure people know what they're doing would be to add a "strict ssl" option after the "required SSL" one so that it's clear that it's something different, maybe with a tooltip that would explains wtf that is...

Comment #3

omega8cc CreditAttribution: omega8cc commented 1 December 2010 at 17:18

Yes, tooltip there would be useful (maybe with link to Wikipedia?) since not all browsers will understand/support this header.

Comment #4

anarcat CreditAttribution: anarcat commented 1 December 2010 at 17:34

If a browser doesn't support this feature, then STS is like required SSL, so this is not a problem.

Comment #5

anarcat CreditAttribution: anarcat commented 13 January 2011 at 16:01

another good code sample: http://pastebin.com/raw.php?i=YZVbSeGg

Comment #6

dkeays CreditAttribution: dkeays commented 3 March 2011 at 19:38

If you are interested in HSTS but don't have access to Apache2.conf, Coldfrontlabs (coldfrontlabs.ca) has a module for 6 and one for 7. They suggest that if you can then use the lines given above.

One reason for a long expiration time is that the server is insecure when HTTP is being used to connect. Many (if not most) connections will start with one insecure hit which opens them up to a MITM right there. With HSTS that insecurity would only happen once for the life of the header so the attack surface is much smaller.

HSTS does more than just require the browser to contact using HTTPS, it also has zero tolerance for self-signed or invalid certs; it will drop the connection if there is a cert error and there won't be an exception button on the cert error screen. I think the problem was MITM attacks that use an insecure cert on the server to get authenticated and did some social engineering to get ppl to disable cert checking in their browser.

Comment #7

Steven Jones CreditAttribution: Steven Jones commented 7 November 2011 at 23:32

Title:	add STS headers to SSL-only sites	» add STS headers to SSL-only sites (SSL strict mode)
Version:	6.x-0.4-alpha3	» 6.x-2.x-dev

Comment #8

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

CreditAttribution: ergonlogic commented 20 January 2014 at 21:36

Version:	6.x-2.x-dev	» 7.x-3.x-dev
Issue summary:	View changes

New features need to be implemented in Aegir 3.x, then we can consider back-porting to Aegir 2.x.

Comment #9

bgm CreditAttribution: bgm commented 11 August 2014 at 00:01

If anyone is interested, I wrote a small provision sub-module for this:
https://github.com/mlutfy/provision_sts

(I tested agaist Aegir 2.x with Apache, but haven't tested yet with nginx.)

However, I agree with the above comments. It would be nice to have in core, and display a help text on the consequences of enabling STS.

Comment #10

helmo CreditAttribution: helmo at Initfour websolutions commented 3 April 2015 at 11:16

Issue tags:

+aegir-ssl

Thanks @bgm, I've tested it with Aegir 7.x-3.0beta1 and apache and it works ok.

I've added provision_sts to http://community.aegirproject.org/content/contrib-modules/contribs-aegir...

To be included in Aegir we would probably need to make it configurable. Either global on admin/hosting/settings or per site?

Comment #11

colan

he/him

English

Toronto 🇨🇦

CreditAttribution: colan at Colan Schwartz Consulting commented 3 March 2017 at 17:31

Just created an Aegir HTTPS issue for this at https://gitlab.com/aegir/hosting_https/issues/35.

Comment #12

helmo CreditAttribution: helmo at Initfour websolutions commented 29 March 2018 at 09:16

Status:

Active

» Closed (duplicate)

That hosting_https issue is now on https://www.drupal.org/project/hosting_https/issues/2936046 lets continue there. Apache works, nginx needs a bit of work.