💡 Feature request: Increase HSTS Max Age

Is your feature request related to a problem? Please describe.

HSTS (HTTP Strict Transport Security) max age is too short at 604800, as shown by SSL Labs.

Describe the feature you would like to be implemented

Default built-in HSTS for Redlib should be increased to at least 180 days as recommended by SSL Labs, NIST, etc.

Describe alternatives you've considered

I have tried setting and removing the HSTS age in both my nginx/ssl config files as well as my specific proxy-conf for redlib to no avail, so it seems baked into the code somewhere.

Additional context / screenshot

I host Redlib as well as a number of other services using SWAG which is built on NGINX. I attempted to set HSTS globally in my ssl.conf which worked fine for every site except redlib. But when removing it, redlib still seems to have it enabled somewhere that I cannot find.

You can set that in the args:

redlib/src/main.rs

Lines 152 to 160 in 9a7da3a

    
           .arg( 
        
           	Arg::new("hsts") 
        
           		.short('H') 
        
           		.long("hsts") 
        
           		.value_name("EXPIRE_TIME") 
        
           		.help("HSTS header to tell browsers that this site should only be accessed over HTTPS") 
        
           		.default_value("604800") 
        
           		.num_args(1), 
        
           )

@sigaloid My mistake, I had no idea. I'm sorry! Though, would you mind me asking how exactly I would go about increasing the max age in my Docker deployment? I'm not sure quite how to pass it along in the .env environment file

That's ok! It's not even documented anywhere, don't worry.

Do you use the Dockerfile or a Docker compose? If you clone the codebase, you can run it via our dev docker. Look around in various files with docker in them, where one of them specifies a command to be run ("./redlib"). Then you can just modify that file and use docker to run it.

@sigaloid I use a Docker Compose and a pretty basic one at that:

`
services:
redlib:
image: quay.io/redlib/redlib:latest-arm
restart: always
container_name: "redlib"
ports:
- 8888:8080
user: nobody
read_only: true
security_opt:
- no-new-privileges:true
# - seccomp=seccomp-redlib.json
cap_drop:
- ALL
networks:
- redlib

networks:
redlib:
enable_ipv6: true
ipam:
config:
- subnet: 2001:0DB8::/112
`

How would I increase the max age for HSTS via the docker compose? Is there a way to add command line arguments and/or flags?

Unfortunately, not directly, but what you can do is this:

Clone the codebase, modify the dev Dockerfile to add the new flag. Then build it. That will overwrite your current image tag with the new one. Then whenever there's a codebase update, git pull and rerun the build, then restart the compose file.

That being said I'm considering this to be a bug and will add a configuration option for it

Ah I see. Well, unfortunately I'm not sure the manual update process is worth it. Thank you so much for all your help though, greatly appreciate the project! That's great news; in that case, let me know when the configuration option is added :)

	.arg(
	Arg::new("hsts")
	.short('H')
	.long("hsts")
	.value_name("EXPIRE_TIME")
	.help("HSTS header to tell browsers that this site should only be accessed over HTTPS")
	.default_value("604800")
	.num_args(1),
	)