Simple way how to enable HTTP Strict Transport Security in Nette?

Notice: This thread is very old.
Honza Kuchař
Member | 1662
+
0
-

Security first.

Should be there some easy way how to enable HSTS in Nette application? I use it for all our services.

Filip Procházka
Moderator | 4668
+
+2
-

Having an config option that would make nette send the header and propagate the Route::SECURED flag to all routes would be nice. There could be new flag for app\request that will force the router to add https:// even if the flag is not set.

Honza Kuchař
Member | 1662
+
0
-

This makes sense for me.

Jan Tvrdík
Nette guru | 2595
+
0
-

Maybe to you but not to me. There is no standard (interface) way to set Route::SECURED flag.

Filip Procházka
Moderator | 4668
+
0
-

@JanTvrdík that's why I mentioned the App\Request that could deliver the flag to the Route.

Milo
Nette Core | 1283
+
+1
-

It is not interface way, but Route::$defaultFlags may help.

Honza Kuchař
Member | 1662
+
0
-

@Milo Default flags are only part of thing. There must be also sent header informing browser for how long it should use https-only. E.g.:

Strict-Transport-Security: max-age:31536000; includeSubDomains

Milo
Nette Core | 1283
+
+2
-

@HonzaKuchař It can be set by webserver. For Apache2 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" with headers module loaded, for Nginx add_header Strict-Transport-Security max-age=31536000;.

Honza Kuchař
Member | 1662
+
0
-

Sure, that is what I do, but I do not think that it is the most clean way how it can be done.

Because where there is any rote without Route::SECURED flag you get infinite redirection loop. I think there should be some support from side of the framework.