Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 51904: Strict-Transport-Security header when HTTPS is required #6168

Merged
merged 3 commits into from
Dec 22, 2024
Merged

Issue 51904: Strict-Transport-Security header when HTTPS is required #6168

merged 3 commits into from
Dec 22, 2024

Conversation

labkey-jeckels
Copy link
Contributor

Rationale

We have many protections in place already to ensure that traffic is always over HTTPS. We can set this header to catch an edge case for an initial http:// request on a third-party link.

Changes

  • Set a long-lived Strict-Transport-Security header when the server is already requiring HTTPS connections

@labkey-jeckels
Copy link
Contributor Author

@labkey-adam @labkey-matthewb no need to rush to adopt this but it was easy so I figured I'd open the PR before the holidays

labkey-matthewb
labkey-matthewb reviewed Dec 21, 2024
View reviewed changes
api/src/org/labkey/api/security/AuthFilter.java Outdated
@@ -164,6 +165,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
return;
}

if (sslRequired)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a devMode check. I believe the reason we don't already have this is because it is incredibly sticky. If you do this on a dev machine and test SSL, you won't be able to use http: until next year or until you figure out how to make your browser forget this setting.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ask me how I know...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good idea. Update pushed.

labkey-matthewb
labkey-matthewb approved these changes Dec 21, 2024
View reviewed changes
Copy link
Contributor

@labkey-matthewb labkey-matthewb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we set the header even if the current request is http? (along with the redirect?)

@labkey-jeckels
Copy link
Contributor Author

should we set the header even if the current request is http? (along with the redirect?)

We could, but I saw commentary that it's only supposed to be set for HTTPS responses. Apparently browsers ignore it for plain HTTP

@labkey-matthewb
Copy link
Contributor

should we set the header even if the current request is http? (along with the redirect?)

We could, but I saw commentary that it's only supposed to be set for HTTPS responses. Apparently browsers ignore it for plain HTTP

That makes sense actually.

@labkey-jeckels labkey-jeckels merged commit 1e95a44 into release24.11-SNAPSHOT Dec 22, 2024
5 checks passed
@labkey-jeckels labkey-jeckels deleted the 24.11_fb_51904_httpsHeader branch December 22, 2024 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labkey-matthewb labkey-matthewb labkey-matthewb approved these changes

@labkey-adam labkey-adam Awaiting requested review from labkey-adam

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@labkey-jeckels @labkey-matthewb