Skip to content

Allow setting HSTS on a per domain basis #6953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 28, 2020
Merged

Allow setting HSTS on a per domain basis #6953

merged 2 commits into from
Apr 28, 2020

Conversation

davidfischer
Copy link
Contributor

  • Adds 3 fields to the domain model for the 3 fields in the HSTS header (max-age, preload, include subdomains)
  • Allows proxito to set the HSTS header if max-age is >0 and applies the preloading and subdomain settings
  • Do not expose this to the public UI. Users could easily make mistakes that make their site not load.

Fixes #4135

@davidfischer
Allow setting HSTS on a per domain basis
4a60fb9 
- Do not expose this to the public UI
@davidfischer davidfischer requested a review from a team April 23, 2020 06:03
ericholscher
ericholscher reviewed Apr 23, 2020
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm excited for this change, it's a good one, and should remove almost all the remaining complexity in our nginx configs by moving them to our application. 💯

readthedocs/proxito/middleware.py
@@ -114,3 +115,20 @@ def process_request(self, request): # noqa
request.host_project_slug = request.slug = ret

return None

def process_response(self, request, response): # noqa
"""Set the Strict-Transport-Security (HSTS) header for a custom domain if max-age>0."""
Copy link
Member

@ericholscher ericholscher Apr 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add support for our own domains here too. It should be as simple as checking for request.subdomain and perhaps settings.PUBLIC_DOMAIN_USES_HTTPS and setting them to what we want.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just so I'm clear, you're envisioning that we should set the HSTS header in proxito (if appropriate) exclusively in middleware whether it's for a custom domain or for the public domain (*.readthedocs.io)?

You're still planning on relying on nginx setting the HSTS header for the dashboard/production domain (readthedocs.org), correct? Because we want this header set for some domains and not others, we can't rely on the usual method of Django's SecurityMiddleware.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, just for the requests through proxito on the PUBLIC_DOMAIN and probably EXTERNAL_DOMAIN (PR builders) as well.

@alex
Copy link
Contributor

alex commented Apr 24, 2020

Woooo! Extremely thrilled to see this, please let us know when/how we can help beta test this!

Thank you so much for working on this, having this natively in RTD is going to let us (pyca) kill the remaining infrastructure we run ourselves

ericholscher
ericholscher approved these changes Apr 27, 2020
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm 👍 on shipping this, even without my changes, but it'd be good to get the HSTS config setup for our own domains as well.

@ericholscher ericholscher merged commit c90c20f into master Apr 28, 2020
@ericholscher ericholscher deleted the davidfischer/set-hsts-for-custom-domains branch April 28, 2020 01:09
@alex
Copy link
Contributor

alex commented Apr 28, 2020

How can we work with y'all to start trialing this for some of the PyCA domains :D

@westurner westurner mentioned this pull request Apr 28, 2020
Closed
@ericholscher
Copy link
Member

@alex If you have a list of projects, we can enable them after deploy tomorrow. We can confirm its working by hitting the servers directly with curl before migrating things over.

@alex
Copy link
Contributor

alex commented Apr 28, 2020 via email

@davidfischer
Copy link
Contributor Author

I still have a bit of refactoring and a few more features to add here but since this change requires admin flags to be set to take effect we should be able to test it.

@ericholscher
Copy link
Member

@alex I've just enabled this:

-> curl -sIL https://www.pyopenssl.org/en/stable/ |grep security
strict-transport-security: max-age=3600

@alex
Copy link
Contributor

alex commented Apr 28, 2020 via email

@alex
Copy link
Contributor

alex commented Apr 28, 2020

@ericholscher Would it be better to track this stuff in it's own ticket or an email thread with us? We'll want to add preload, include subdomains, and bump up the max-age gradually as the next steps.

@alex alex mentioned this pull request Apr 28, 2020
Closed
2 tasks
@ericholscher
Copy link
Member

@alex either works for me. Feel free to open an RTD ticket or email me directly. 👍

@davidfischer
Copy link
Contributor Author

If you do an RTD ticket, any of the RTD core folks could do it too.

@alex alex mentioned this pull request Apr 28, 2020
Closed
6 tasks
@alex
Copy link
Contributor

alex commented Apr 28, 2020

I've filed #6984, hopefully this is an ok place!

@isdanni isdanni mentioned this pull request Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericholscher ericholscher ericholscher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Optional HSTS support
3 participants
@davidfischer @alex @ericholscher