HSTS: Allow configuration of HSTS preload also

A preload value in the STS header indicates that the webserver wants the browser to add this website to a list which should be considered to be HTTPS only that can influence other browsers that haven't even visisted this webserver before. One can also manually add oneself to such list from https://hstspreload.org/ if one complies with their requirements, of which one is that a preload value in the STS header is specified.
jupyterhub · Apr 24, 2020 · eb13535 · eb13535
1 parent 46e7a38
commit eb13535
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml b/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml
@@ -17,7 +17,8 @@ http:
       #
       # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
       headers:
-        stsIncludeSubdomains: true
+        stsIncludeSubdomains: {{ .Values.proxy.traefik.hsts.includeSubdomains }}
+        stsPreload: {{ .Values.proxy.traefik.hsts.preload }}
         stsSeconds: {{ .Values.proxy.traefik.hsts.maxAge | int64 }}
     # A middleware to redirect to https
     redirect:

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -151,8 +151,9 @@ proxy:
       name: traefik
       tag: v2.2 # ref: https://hub.docker.com/_/traefik?tab=tags
     hsts:
-      maxAge: 15724800 # About 6 months
       includeSubdomains: false
+      preload: false
+      maxAge: 15724800 # About 6 months
     resources: {}
     extraStaticConfig: {}
     extraDynamicConfig: {}