Enable RFC 6797 HSTS signaling

The HTTP Strict Transport Security (HSTS) mechanism defined in IETF RFC 6797 allows us to indicate to clients that the site to which they are connecting should only every be reached over an encrypted HTTPS connection, in an effort to thwart protocol downgrade attacks which could convince a client to fall back to plaintext HTTP. Set such a policy header for the SSL vhost, valid for one year, and indicate that this policy also applies to any subdomains of the hostname with which the site is served (even though it's unlikely that there would ever be any in this case, this is useful for consistency with inclusion in other vhost templates in the future). While HSTS policy can't prevent downgrade attacks the very first time a client connects to this site, thereafter their browser would be wary of connecting over plain HTTP for subsequent connections for a full year. Change-Id: If5c2f3b70e7f7646bf6168e8942aee0ecb7c2ec8
2019-04-14 14:53:25 +00:00 · 2019-04-14 14:53:25 +00:00 · 2658fb41ba
commit 2658fb41ba
parent 8a0e111327
1 changed files with 1 additions and 0 deletions
--- a/templates/graphite.ssl.vhost.erb
+++ b/templates/graphite.ssl.vhost.erb
@ -8,6 +8,7 @@
 </VirtualHost>

 <VirtualHost *:443>
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        SSLEngine on
        SSLCertificateFile      <%= scope.lookupvar("graphite::ssl_cert_file") %>
        SSLCertificateKeyFile   <%= scope.lookupvar("graphite::ssl_key_file") %>