-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HSTS to F# ApiServer and BwdServer #3665
Add HSTS to F# ApiServer and BwdServer #3665
Conversation
yes |
The implementation here is a bit of a hack; for some reason, the constructs used in ApiServer.fs are not working here. A follow-up commit is likely to clean this up. Note: 205/211 needed adjustment; the other 6 did not, as the requests do not hit our HTTP stack Several (5) of the tests required careful adjustment through vim because of their inconsistent line endings.
Most of the tests (200/211), I could just edit normally in VS Code to expect the The requests of these tests fail to reach our HTTP stack, and did not need update:
These tests required a more careful edit because of the awkward newline situation:
Today, I successfully used (and escaped)
|
Close. Remaining TODOs:
|
Out of the URLs that ApiServer exposes, These are now tested for the Strict-Transport-Security header:
along with 2 bogus endpoints ( Only remaining step on my list is to figure out why BwdServer seemed to require the hacky set-up for HSTS. |
@pbiggar ready for a review. I've tried my best to figure out why BwdServer won't work with |
Could you explain what happens when you try to use HSTS for Bwdserver? |
It seems to have no effect; the header is then not present in all http responses. I had a theory that I also tried seeing if testing in a local environment was a relevant factor - after some logging there, I determined it wasn't, but I'm curious if it'd work in prod. |
7ddb0c7
to
0ee37c4
Compare
If the above description doesn't make sense, it may be worthwhile to briefly Zoom over it? I can alternatively push a commit that will use the UseHsts+AddHsts code instead, resulting in all the related tests failing. Or, we can just add a CLEANUP/Issue to follow up on later. |
Ready to merge once conflicts are fixed. |
This matches the HSTS config found here and here.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
localhost
prevents HSTS locally, so maybe OK to leave it on locally. Edit: works fine locally, so I'm seeing no reason to disable.