Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved HSTS Preload

    Feature Requests
    4
    5
    206
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • alex-adestech
      alex-adestech last edited by girish

      It would be nice to have a way to modify the default nginx headers of WordPress Apps.

      By default, WordPress Apps in Cloudron have the header "strict-transport-security: max-age=63072000". You can find a screenshot below and the reference in here: https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L98

      This feature request would be useful in several ways; one of them is because there are simple requirements to submit a domain to the HSTS Preload List. The requirements are adding the "strict-transport-security" header with:

      • The max-age must be at least 31536000 seconds (1 year).
      • The includeSubDomains directive must be specified.
      • The preload directive must be specified.

      Using a WordPress plugin I added the required header, but then I would have 2 "strict-transport-security" headers that would result in an "ineligibility" status by submitting the HSTS Preload form.

      Please comment if you think I missed something or want to add something to this request. Thanks for reading!

      This is a screenshot of our website's headers using Chrome Tools:
      Screen Shot 2022-06-22 at 11.49.26.png

      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        The requirements are here https://hstspreload.org/ .

        I think instead of making something generic, we can possible just add a checkbox say "Enable HSTS Preload" or something.

        Jan Macenka M 2 Replies Last reply Reply Quote 7
        • Jan Macenka
          Jan Macenka @girish last edited by Jan Macenka

          @girish any news on this? As in Europe we currently have this ongoing war between Ukrain and Russia with a hight amount of cyber-attacks in circulation, it would be great to bump up the available security measures as much as possible 😉

          If you would be going to create a tunable security-setting here, it would also be really great if you could give the option to select which TLS-Versions should be supported and maybe set a sensible default to support 1.1, 1.2 and 1.3.

          Also, do you know if Cloudron uses a Version of NGINX that already supports QUIC protocol rather than TCP to transport HTTP?

          Would also be glad to lend a hand if you need support with getting this to work.

          1 Reply Last reply Reply Quote 1
          • M
            m-si @girish last edited by

            @girish I would love to have this feature as well. Especcially as without it's impossible to register the domain at https://hstspreload.org...as you said.

            1 Reply Last reply Reply Quote 0
            • girish
              girish Staff last edited by

              This is implemented now. Will be available in 7.4.

              1 Reply Last reply Reply Quote 1
              • Topic has been marked as a question  girish girish 
              • Topic has been marked as solved  girish girish 
              • First post
                Last post
              Powered by NodeBB