From 2658fb41baa3be250a8f78e180c91f9b341c360a Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Sun, 14 Apr 2019 14:53:25 +0000 Subject: [PATCH] Enable RFC 6797 HSTS signaling The HTTP Strict Transport Security (HSTS) mechanism defined in IETF RFC 6797 allows us to indicate to clients that the site to which they are connecting should only every be reached over an encrypted HTTPS connection, in an effort to thwart protocol downgrade attacks which could convince a client to fall back to plaintext HTTP. Set such a policy header for the SSL vhost, valid for one year, and indicate that this policy also applies to any subdomains of the hostname with which the site is served (even though it's unlikely that there would ever be any in this case, this is useful for consistency with inclusion in other vhost templates in the future). While HSTS policy can't prevent downgrade attacks the very first time a client connects to this site, thereafter their browser would be wary of connecting over plain HTTP for subsequent connections for a full year. Change-Id: If5c2f3b70e7f7646bf6168e8942aee0ecb7c2ec8 --- templates/graphite.ssl.vhost.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/graphite.ssl.vhost.erb b/templates/graphite.ssl.vhost.erb index 1fb5592..d2b6bba 100644 --- a/templates/graphite.ssl.vhost.erb +++ b/templates/graphite.ssl.vhost.erb @@ -8,6 +8,7 @@ + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" SSLEngine on SSLCertificateFile <%= scope.lookupvar("graphite::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("graphite::ssl_key_file") %>