Simple way how to enable HTTP Strict Transport Security in Nette?

4 years ago

Honza Kuchař
Backer | 1648
+
0
-

Security first.

Should be there some easy way how to enable HSTS in Nette application? I use it for all our services.

4 years ago

Filip Procházka
Moderator | 4693
+
+2
-

Having an config option that would make nette send the header and propagate the Route::SECURED flag to all routes would be nice. There could be new flag for app\request that will force the router to add https:// even if the flag is not set.

4 years ago

Honza Kuchař
Backer | 1648
+
0
-

This makes sense for me.

4 years ago

Jan Tvrdík
Nette guru | 2547
+
0
-

Maybe to you but not to me. There is no standard (interface) way to set Route::SECURED flag.

4 years ago

Filip Procházka
Moderator | 4693
+
0
-

@JanTvrdík that's why I mentioned the App\Request that could deliver the flag to the Route.

4 years ago

Milo
Nette Core | 1071
+
+1
-

It is not interface way, but Route::$defaultFlags may help.

4 years ago

Honza Kuchař
Backer | 1648
+
0
-

@Milo Default flags are only part of thing. There must be also sent header informing browser for how long it should use https-only. E.g.:

Strict-Transport-Security: max-age:31536000; includeSubDomains

4 years ago

Milo
Nette Core | 1071
+
+2
-

@HonzaKuchař It can be set by webserver. For Apache2 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" with headers module loaded, for Nginx add_header Strict-Transport-Security max-age=31536000;.

4 years ago

Honza Kuchař
Backer | 1648
+
0
-

Sure, that is what I do, but I do not think that it is the most clean way how it can be done.

Because where there is any rote without Route::SECURED flag you get infinite redirection loop. I think there should be some support from side of the framework.