Is there any way to add strict-transport-security response headers, besides for running a reverse proxy? This would go far in securing the implementation. I’ve enabled HTTPS, and have valid certs, but would like a little extra security.
Thanks!
Adding
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
into /etc/httpd/conf.d/ssl.conf (for Apache2) just before the default virtual host (<VirtualHost _default_:443>) is what you are looking for?
If you care about security, you should really use a reverse proxy instead of the built-in HTTPS support.
I was looking to get it added to the built-in Rocket webserver. It looks like Rocket supports it so it should be pretty easy to add, and I don’t really see any downsides.
The downside is that the tls/ssl support in rocket isn’t that great and therefore a reverse proxy is better which then also can handle those headers since it will take care of those headers.
Fair enough. I think it’s something that could be added pretty easily though, with very few downsides. Was hoping not to have to run another service just to fix something in this service that could be implemented to better serve the community.