Mastodon: Disable HSTS enforcement

Looks like that's true... force_ssl enables Rack:::SSL middleware, which not only redirects http to https, but also marks cookies as secure and enables HSTS. But there seem to be options for disabling all of these individually so I think we can adjust it.

Redirecting http>https and marking cookies as secure is a good thing, but enabling HSTS out of the box is a mistake IMO.

Enabling HSTS has some implications that the admin should be aware of, and requires consideration ; enabling/configuring HSTS in Mastodon config would require to add more documentation and complication. It's best to leave that to the frontend web server.

(sorry for the double post, I always post too fast) - I also had a look at rack-ssl's HSTS options and the only configurable settings are the duration and subdomains. No way to disable it, nor enable preloading.

@hrefhref is right, enabling HSTS requires awareness.
It seems the only solution is to use the ngx_headers_more module (otherwise there is a duplicate of headers, which is not a good thing). Rails does not allow the disabling of HSTS, though max-age and preload can be changed.

That's part of the feedback I was looking for here -- https://github.com/tootsuite/mastodon/pull/2165

I think it does make sense to switch to the global force_ssl option instead of the controller one (to make it easier for people who don't control their web servers to turn on HSTS, like Heroku for example), but am open to more things we have to change as part of that switch.

What are the scenarios to consider where someone would want to use https, but not want to set HSTS?

Would a lower max-age default be sufficient to leave it turned on? Should we disable subdomains?

Well, even with a lower one, we can't add our with this "enforcement", so we can't have a long HSTS :/
The better should be nothing from the app, and let the webserver/proxy handle that...

Would something like this help? https://github.com/tootsuite/mastodon/compare/master...mjankowski:hsts-optional

(Makes HSTS enable separate from force_ssl enable)

Looks good to me, @mjankowski :+1:

Would be perfect !

@mjankowski Looks good

I don't call this "disable"
max-age=0

That tells browsers to remove the host from hsts list immediately.

Sent from my iPhone

On Apr 23, 2017, at 16:57, Technowix notifications@github.com wrote:

I don't call this "disable"
max-age=0

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Well, we wanted to disable Mastodon from putting the flag, so we can define how much time we want to enforce https :s

Got it.

So - ideal scenario is that mastodon sets zero hsts headers unless explicitly enabled?

Sent from my iPhone

On Apr 23, 2017, at 17:04, Technowix notifications@github.com wrote:

Well, we wanted to disable Mastodon from putting the flag, so we can define how much time we want to enforce https :s

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Yeah, and let the proxy handle that.
Thanks if you can push a fix :)
EDIT : also, don't put comma into the flag if you want to put one, It's ; "dot-comma" separated...

Unfortunately I'm afraid we can't do more with Rails. Like I said, the only solution will be to use a nginx module called ngx_headers_more, which can overwrite the header sent by the backend app.

Then, without headers_more option, I think let people put their own max-age would be the best option...