HSTS Preload
-
The requirements are here https://hstspreload.org/ .
I think instead of making something generic, we can possible just add a checkbox say "Enable HSTS Preload" or something.
-
@girish any news on this? As in Europe we currently have this ongoing war between Ukrain and Russia with a hight amount of cyber-attacks in circulation, it would be great to bump up the available security measures as much as possible
If you would be going to create a tunable security-setting here, it would also be really great if you could give the option to select which TLS-Versions should be supported and maybe set a sensible default to support 1.1, 1.2 and 1.3.
Also, do you know if Cloudron uses a Version of NGINX that already supports QUIC protocol rather than TCP to transport HTTP?
Would also be glad to lend a hand if you need support with getting this to work.
-
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
-
@girish said in HSTS Preload:
This is implemented now. Will be available in 7.4.
I have just upgraded to 7.4, enabled HSTS for my Mastodon instance on blueplanet.social and tried to submitted the address to hstspreload.org, but it reports:
Error: Multiple HSTS headers Response error: Multiple HSTS headers (number of HSTS headers: 3). -
The header is coming from somewhere else. Only the last line is generate by Cloudron. We don't have any code to generate other two lines. So maybe this comes mastodon itself.
< strict-transport-security: max-age=63072000; includeSubDomains < x-cached: MISS < strict-transport-security: max-age=31536000 < strict-transport-security: max-age=63072000; includeSubDomains; preload -
-
@girish said in HSTS Preload:
@nichu42 ah, this is the same as https://github.com/mastodon/mastodon/issues/17083
Ah, thanks. So we have Mastodon + Ruby + Cloudron. Is there a way to get rid off the others and thus only have Cloudron set the header?
