Deploy HTTP Strict Transport Security on sandcats.io
Opened this issue · 2 comments
sandcats.io should support HTTP Strict Transport Security. Ideally with long duration and with includeSubdomains on.
Also, since people are unlikely to visit sandcats.io directly and actually get the HSTS header, it'd be nice if the homepage of https://sandstorm.io included a reference to e.g. a Sandcats URL that returns 204 No Content - at least until sandcats.io makes it into the preload list of browsers (assuming you submit it to the preload list). That way anytime someone visits the Sandstorm homepage, their browser's HSTS cache will be primed with an entry for sandcats.io.
I'm assuming all *.sandcats.io instances support HTTPS here, but obviously you guys are the only ones that can confirm that. I would suggest doing this ASAP, since the more users Sandcats gets the more likely that someone will (for whatever harebrained reason) decide to run Sandstorm/Sandcats without HTTPS.
When Sandcats was first introduced, it did not provide free TLS certificates. As a result, there are some Sandcats servers out there that don't have it enabled. Unfortunately we cannot automatically enable TLS since it may require manual intervention to open ports on a firewall or to update reverse proxy configs. We could maybe deprecate the use of sandcats without TLS, showing big fat warning messages on affected servers, and hope that the admins notice... but that seems like a bunch of work. :/ Probably a more efficient use of time would be to enable HSTS specifically on Sandcats subdomains that have TLS enabled.
Additionally, note that sandcats.io is in the public suffix list, which may interact with includeSubdomains in unexpected ways. (We've seen funny behavior before, e.g. a CA refused to give us a certificate for sandcats.io because it was in the public suffix list, which caused the CA's software to treat it as a TLD.)
Ah. Right on.
Seems like we could also just send emails (don't all Sandcats accounts have emails on file?) but that doesn't solve the potential suffix problem...