Enable HTTP Strict Transport Security (HSTS)

[dentarg]

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[dentarg]

Also preload?

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Limitations
• https://hstspreload.org/?domain=starkast.wiki

[dentarg]

Should it be done in the Ruby app or in the Nginx proxy?

[dentarg]

Is there anything we should think of in regards to HSTS / preload and Let's Encrypt?

[jage]

Also preload?

Sure, I do preload on duh.se. IMO if you start with HSTS you should be really committed to HTTPS, thus preload should only be a upside.

Should it be done in the Ruby app or in the Nginx proxy?

Ruby, I think. To avoid being to dependent on this proxy setup.

Is there anything we should think of in regards to HSTS / preload and Let's Encrypt?

Don't think so, except that we are basically bound to use HTTPS forever.

[dentarg]

https://hstspreload.org/?domain=starkast.wiki says

Error: www subdomain does not support HTTPS
Domain error: The www subdomain exists, but we couldn't connect to it using HTTPS ("x509: certificate is valid for film.starkast.net, fry.starkast.net, huvud-fry.starkast.net, huvud-kif.starkast.net, huvud.starkast.net, im.starkast.net, kif.starkast.net, lara.starkast.net, ludde.starkast.net, patrik.starkast.net, skuld.starkast.net, starkast.net, wiki.starkast.net, www.starkast.net, not www.starkast.wiki"). Since many people type this by habit, HSTS preloading would likely cause issues for your site.

I get the feeling that hstspreload.org doesn't understand SNI.

Can you do HSTS preload with SNI?

[dentarg]

I get the feeling that hstspreload.org doesn't understand SNI.

Hmm... jekyll/jekyll#6432 (comment)

Yes, hstspreload.org should be able to handle SNI-only sites without problem.

[dentarg]

Oops

$ curl -s -v https://www.starkast.wiki
* Rebuilt URL to: https://www.starkast.wiki/
*   Trying 212.63.204.17...
* TCP_NODELAY set
* Connected to www.starkast.wiki (212.63.204.17) port 443 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0

[dentarg]

Fixed now

$ curl -s -v -o /dev/null https://www.starkast.wiki
* Rebuilt URL to: https://www.starkast.wiki/
*   Trying 80.252.185.193...
* TCP_NODELAY set
* Connected to www.starkast.wiki (80.252.185.193) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: starkast.wiki
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> GET / HTTP/1.1
> Host: www.starkast.wiki
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Mon, 15 Jan 2018 23:58:55 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://starkast.wiki/
<
{ [178 bytes data]
* Connection #0 to host www.starkast.wiki left intact