Strict transport security not enforced for 400, 500, 401, and 429 error pages

[Prudvidhar]

Hi All,
We enabled RedirectHttpsFilter filter in our application but Strict Transport Security not enforced for 400, 500, 401, and 429 error pages. All other pages have HSTS header. Is there an additional setting for enforcing HSTS for these error pages as well?

play.filters.enabled += play.filters.https.RedirectHttpsFilter

Thanks,
Prudvidhar

[mkurz]

I am pretty sure that is because those http codes origin from an exception that was thrown "while" the https redirect filter "runs", but because of such an exception the https redirect filter does not finish normally. What I want to say is look at this line:

playframework/web/play-filters-helpers/src/main/scala/play/filters/https/RedirectHttpsFilter.scala

Line 57 in 71f6975

next(req).map(_.withHeaders(stsHeaders: _*))

Here you can see the filter calls the next filter and eventually the action method. now if there is an exception within that "next" method chain somewhere, the map and therefore the withHeaders will not be called anymore on the result. So yeah, that is not really ideal, as far as I remember we got similiar reports with other filters as well.

Now the question is: How bad is that behaviour? Because usually you get those errors after your site was visited already, so that means the Strict-Transport-Security header very very likely got send already for the domain a user is visiting, so not sending the header for those error pages should not do real harm IMHO (the browser should know already that this domain should be redirect to https).
Further, this just affects the Strict-Transport-Security header, but the redirect for those error pages will still work, because that happens when the filter is entered, before the next(...) happens. So in real life in the case, someone access your page via http the user will definitely be forwareded to https, but then it can happen, if an error occurs and if the user never visited your domain without error that the Strict-Transport-Security will not be sent. I mean yeah this is not ideal, but because the https redirect works, it shouldn't do any harm.

I don't think it's easy to fix that right now in Play. I could only think of that we have to change the http error handlers so that they check if the httpsredirect filter is enabled and if so and if no header was set it could then set it. IMHO this is not really nice so we might have think about a more general approach how to solve such problems, where a filter should do stuff (like adding headers) no matter if an server side error/exception occured or not , in future

What you could do is to add such a check in a custom http error handler youself to make sure you alway add the header if it does not exist yet on the result hat will be sent, I don't think there is another workaround right now.