Okhttp: Support HSTS

Persistent configuration would be really nice for stuff like this. See also:
https://github.com/square/okhttp/issues/2890

We have an implementation of an Interceptor implementing HSTS pre-loaded list (no Strict-Transport-Security header support). I can submit a PR if you decide this should be part of the OkHttp core.

@amirlivneh I'd love to integrate a java/kotlin version in my own project if not. Care to publish this somewhere?

I would argue for OkHttp moving in this direction, sites should be able to indicate their security policy like this and have it respected by mobile clients. But it seems like something that could cause problems when applied globally by default given the wide number of older devices, it's likely these devices would start showing up on app developers failure dashboards.

@yschimke, I'll wait for the maintainers' decision on this. If we don't end up upstreaming it, I may be able to publish the Interceptor somewhere.

I'm one of the maintainers, it would be easier to judge suitability once we can evaluate the code. We have a similar feature that includes a large binary list for top level domains, and it does cause some pain as well as bloat but is a reasonably important feature.

I don't expect the implementation to add bloat because the list of preloads is provided by the user. The API will be something along these lines:

List<HstsPreload> hstsPreloads = Arrays.asList(
    // Force HTTPS for foo.com and all of its subdomains
    new HstsPreload.Builder().domain("foo.com").build(),

    // Force HTTPS for bar.com and all of its subdomains, except for special.bar.com
    new HstsPreload.Builder().domain("bar.com").build(),
    new HstsPreload.Builder().domain("special.bar.com"),
        .forceHttps(false)
        .includeSubdomains(false)
        .build());

OkHttpClient client = new OkHttpClient.Builder()
    .hstsPreloads(hstsPreloads)
    .build();

I think perhaps the best approach of OkHttp is also pretty easy. Just disable all cleartext:

    client = new OkHttpClient.Builder()
        .connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS))
        .build();

HSTS is great for general-purpose clients like browsers. But many folks who’d use HSTS with OkHttp might be better off just dropping all cleartext.

This might be best as a separate library. If we were to build it into OkHttp I'd personally push for including a public (firefox/chrome) preload list, upgrading to https automatically and eventually observing and storing Strict-Transport-Security headers.

I agree that disabling cleartext is the simplest solution and probably good enough for most clients. Our apps have special use cases that require more granular control. Fortunately, Interceptors are powerful enough, so we can rely on one to address our needs.

In our solution, we decided not to couple the enforcing mechanism with a public preload list. We have lightweight apps with extreme APK size constraints. Some of these apps only send requests to a limited set of domains. Decoupling the public preload list from the enforcing mechanism allows those apps to benefit from HTTPS forcing without taking the size penalty of a full public list.

This seems pretty widely adopted https://caniuse.com/#search=hsts

Also relevant https://emilymstark.com/2020/10/24/strict-transport-security-vs-https-resource-records-the-showdown.html

and

https://twitter.com/estark37/status/1320442640123326464

https://twitter.com/tunetheweb/status/1320661941556252672

Discusses caching of similar items.

Curl implementation https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
https://github.com/curl/curl/blob/21464a65c60092e410bb3c8195f3160fc49f4286/docs/HSTS.md