Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider disabling HSTS by default #741

Closed
1 task done
retlehs opened this issue Jan 23, 2017 · 6 comments
Closed
1 task done

Consider disabling HSTS by default #741

retlehs opened this issue Jan 23, 2017 · 6 comments

Comments

@retlehs
Copy link
Member

retlehs commented Jan 23, 2017
edited
Loading

moving our internal discussion from this weekend onto here so we don't forget about it

Let’s say you have HSTS enabled. At some point something (pick a scary thing…any scary thing will do) goes wrong with your SSL configuration and your server is unable to serve a secure request. Your server cannot fulfill the secure request, but the browser (because of the HSTS header) cannot request anything that is insecure. You’re at an impasse and your visitor cannot see the content or asset in question. This remains the case until either your SSL configuration is restored or the HSTS header expires. Now imagine you’re running a large site with multiple teams and lots of moving parts and you see just how scary this issue could be.

Because of this risk, HSTS has to be an option that a user must specify in Let’s Encrypt—despite its importance.
@tmdk
Copy link

tmdk commented Feb 2, 2017
edited
Loading

At the very least, consider turning off includeSubdomains as a default. I've been bitten by this (external service hosted on a subdomain that does not support https)

@markjaquith
Copy link
Contributor

Strongly agree with disabling HSTS by default. The cost of a mistake is too high.

@retlehs
Copy link
Member Author

retlehs commented Apr 5, 2020

yeah we should do this... and update the docs here: https://roots.io/docs/trellis/master/mail/#development

not sure where we've left off on this, are there any reasons not do this - @swalkinshaw?

@swalkinshaw
Copy link
Member

Unfortunately one issue with switching the default is it will mean someone loses their HSTS setting without realizing it. Of course we'll mark the change as breaking and communicate what they need to do... but still. Just a minor thing to consider.

The cost of a mistake is too high.

Is this true? If max-age is set to 0 then the problem is fixed. So consider the trade offs of making a mistake, then fixing it, vs all the people that won't have HSTS enabled at all after this.

I'm not entirely against this, I just don't know it's as clear cut as we think?

swalkinshaw added a commit that referenced this issue Jul 20, 2022
@swalkinshaw
Disable HSTS includeSubdomains by default
28d1beb 
Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
@swalkinshaw swalkinshaw mentioned this issue Jul 20, 2022
Merged
@swalkinshaw
Copy link
Member

Couple updates on this issue.

  1. Don't add HSTS header for self-signed #1062 disabled HSTS in the standard development environment setups a while ago eliminating some common issues there
  2. I just opened Disable HSTS includeSubdomains by default #1409

I think with those changes, it still makes sense to keep HSTS enabled by default for two reasons.

  1. as mentioned before, hsts_max_age can easily bet set to 0 to disable HSTS
  2. if there's an SSL issue where your site won't load, this will already break your site (even without HSTS) because Trellis has always redirected all HTTP requests to HTTPS if ssl is enabled.

Please let me know if I'm still missing some other situation where this can be a problem.

swalkinshaw added a commit that referenced this issue Jul 21, 2022
@swalkinshaw
Disable HSTS includeSubdomains by default
6c78027 
Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
@swalkinshaw
Copy link
Member

Closing this now that #1409 is merged. Docs will be updated after the next Trellis release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@retlehs @swalkinshaw @markjaquith @tmdk