Hi there, HTTP Strict Transport Security (HSTS) uses an HTTPS response header, telling the browser to always use an encrypted connection for this hostname and to not let the user override any certificate warnings when it re-visits the site in the future. These restrictions apply for a certain period of time. The goal is to make man-in-the-middle attacks more difficult. Of the major browsers, only IE doesn't support it yet.
* http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security * http://tools.ietf.org/html/rfc6797 Even though you could configure HSTS on the backend and have pound simply forward the header, I thought it would be a better idea to configure it in pound. The attached patch is against 2.7c and introduces the new service level instruction "StrictTransportSecurity <seconds>". It is only acceptable inside HTTPSListeners. The parameter tells the browser for how long it should remember HSTS. On production systems you should use something in the range of several months (for ssllabs.com you need to configure at least 180 days to have it improve your rating). The special value 0 instructs the browser to delete the HSTS entry. This of course requires the browser to re-visit your site. When HSTS is configured in a pound service it will override any HSTS headers received from the backend. Otherwise the backend's HSTS header is simply passed through. Before you enable HSTS, make sure you understand its implications: - Even though you can configure HSTS by service, it actually affects the (virtual) hostname, i.e. any service and even HTTPListeners or other web servers which can be addressed with the same hostname - So for clarity I recommend to configure HSTS with the same value in all affected pound services - Do not enable if an unencrypted (HTTP only) site is running on any (virtual) hostname your HTTPS service is listening to - Be aware that you will no longer be able to simply switch back to HTTP Some things the patch does not implement but could easily be added if you think this is necessary: - No HSTS header for Redirect backends - No support for the HSTS includeSubDomains option - No stripping of HSTS headers in HTTPListeners Regards, Frank
pound-2.7c-sts.diff
Description: application/download
