Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20268

enable HSTS for inbound HTTPS connectors by default

    XMLWordPrintable

    Details

    • Release Note:
      Yes

      Description

      Current versions of NXRM 3 using a Jetty Server version of 9.3.7 or newer are capable of support for HTTP Strict Transport Security (HSTS) for inbound connections. https://tools.ietf.org/html/rfc6797

      Enabling HSTS has been requested by a few users of NXRM and when enabled helps get an A+ rating on ssllabs.com.

      https://github.com/eclipse/jetty.project/issues/271
      https://bugs.eclipse.org/bugs/show_bug.cgi?id=484657

      Jetty Server change adding this feature:

      https://github.com/eclipse/jetty.project/commit/19d6e36ab961b9b8db97c66ebde973f36e37f959

      Expected

      Adjust our shipped jetty-https.xml to enable HSTS by default.

      All that is needed is to adjust the SecureRequestCustomizer creation from this:

      <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
          <Arg><Ref refid="httpConfig"/></Arg>
          <Call name="addCustomizer">
            <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
          </Call>
        </New>
      

      to this:

      <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
          <Arg><Ref refid="httpConfig"/></Arg>
          <Call name="addCustomizer">
            <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer">
              <!-- 7776000 seconds = 90 days --> 
              <Set name="stsMaxAge">7776000</Set>
            </New>
            </Arg>
          </Call>
        </New>
      

      For justification of 90 day max age default, see https://letsencrypt.org/2015/11/09/why-90-days.html .

      For justification of NOT including sub-domains under HSTS by default, we believe it is a lesser risk of indirectly impacting other applications hosted at different sub-domains in the same organization.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Wes Wannemacher
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  tigCommentSecurity.panel-title