From eb1353582ab2e4f10d95a07177914fcc87a86764 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 24 Apr 2020 02:46:59 +0200 Subject: [PATCH] HSTS: Allow configuration of HSTS preload also A preload value in the STS header indicates that the webserver wants the browser to add this website to a list which should be considered to be HTTPS only that can influence other browsers that haven't even visisted this webserver before. One can also manually add oneself to such list from https://hstspreload.org/ if one complies with their requirements, of which one is that a preload value in the STS header is specified. --- jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml | 3 ++- jupyterhub/values.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml b/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml index 336724d2aa..070a80e2dd 100644 --- a/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml +++ b/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml @@ -17,7 +17,8 @@ http: # # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security headers: - stsIncludeSubdomains: true + stsIncludeSubdomains: {{ .Values.proxy.traefik.hsts.includeSubdomains }} + stsPreload: {{ .Values.proxy.traefik.hsts.preload }} stsSeconds: {{ .Values.proxy.traefik.hsts.maxAge | int64 }} # A middleware to redirect to https redirect: diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index 2bc7411baf..78edb1e730 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -151,8 +151,9 @@ proxy: name: traefik tag: v2.2 # ref: https://hub.docker.com/_/traefik?tab=tags hsts: - maxAge: 15724800 # About 6 months includeSubdomains: false + preload: false + maxAge: 15724800 # About 6 months resources: {} extraStaticConfig: {} extraDynamicConfig: {}