Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds HSTS configuration variables #388

Merged
merged 1 commit into from
Oct 20, 2015
Merged

Adds HSTS configuration variables #388

merged 1 commit into from
Oct 20, 2015

Conversation

austinpray
Copy link
Contributor

Adds the following WordPress site variables

ssl.nginx_hsts_max_age
ssl.nginx_hsts_include_subdomains
ssl.nginx_hsts_preload

Adds the following nginx global defaults

nginx_hsts_max_age: 31536000
nginx_hsts_include_subdomains: true
nginx_hsts_preload: true

@louim
Copy link
Contributor

louim commented Oct 19, 2015

Any particular reason why we would want these options to be configurable vs enforcing them as sane defaults?

@retlehs
Copy link
Member

retlehs commented Oct 19, 2015

i ran into an issue today where includeSubDomains affected subdomains and made them inaccessible, had to remove it and set the max-age to 0

https://shrikantadhikarla.wordpress.com/2013/02/18/anatomy-of-includesubdomains-directive-in-http-strict-transport-security-policy/

@austinpray
Copy link
Contributor Author

@louim if you need to refresh your settings you might need to set max_age to 0 temporarily

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. Should it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.

https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

Also, mind as well keep them configurable since these are potentially site-breaking options

swalkinshaw
swalkinshaw reviewed Oct 20, 2015
View reviewed changes
roles/wordpress-setup/templates/wordpress-site.conf.j2
{% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) %}
{% set hsts_preload = item.value.ssl.hsts_preload | default(nginx_hsts_preload) %}

add_header Strict-Transport-Security "max-age={{ hsts_max_age }}{{ hsts_include_subdomains | ternary('; includeSubdomains', '') }}{{ hsts_preload | ternary('; preload', '') }}";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we care how messy this is? If the variables were strings it could be:

add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload].join(';') }}";

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why I did the manual "; " prefix is because I was trying to follow the format:

image

https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Enabling_Strict_Transport_Security

Other formatting examples

https://tools.ietf.org/html/draft-hodges-strict-transport-sec-02#page-14

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

austinpray
austinpray reviewed Oct 20, 2015
View reviewed changes
roles/wordpress-setup/templates/wordpress-site.conf.j2
{% set hsts_max_age = item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) %}
{% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubdomains', None) %}
{% set hsts_preload = item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) %}
add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}";
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

results in add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

@swalkinshaw
Copy link
Member

@austinpray changelog pls 🍉

@austinpray
Adds HSTS configuration variables
3ad5511 
Adds the following WordPress site variables

ssl.nginx_hsts_max_age
ssl.nginx_hsts_include_subdomains
ssl.nginx_hsts_preload

Adds the following nginx global defaults

nginx_hsts_max_age: 31536000
nginx_hsts_include_subdomains: true
nginx_hsts_preload: true
@austinpray
Copy link
Contributor Author

@roots/trellis-contributors gimme a couple extra go-aheads and I'll merge.

@swalkinshaw
Copy link
Member

👍

1 similar comment
@louim
Copy link
Contributor

louim commented Oct 20, 2015

👍

austinpray added a commit that referenced this pull request Oct 20, 2015
@austinpray
Merge pull request #388 from austinpray/hstsVars
33555eb 
Adds HSTS configuration variables
@austinpray austinpray merged commit 33555eb into roots:master Oct 20, 2015
@austinpray austinpray deleted the hstsVars branch October 20, 2015 02:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@austinpray @louim @retlehs @swalkinshaw