Add Support for HSTS to Enhance HTTPS Security
Closed this issue · 2 comments
Thanks for this nice tool!
I would like to suggest the implementation of HTTP Strict Transport Security (HSTS) as a feature in miniserve. This security enhancement is critical as it instructs web browsers to interact with the server only over HTTPS, which prevents SSL stripping attacks.
Why This is Important
HSTS adds an extra layer of security by ensuring that all communications are encrypted and authenticated. Many static file servers used in production might benefit from this added security, especially when sensitive data is involved.
Suggested Implementation
HSTS can be implemented by adding a response header from the server:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Use Case
For users deploying miniserve in environments where security is paramount (like in financial services or health data handling), this would ensure that their content is served over HTTPS at all times.
Only by turning on HSTS can you get an A+ score here https://www.ssllabs.com/ssltest/
Sounds good! Would you like to take a stab at this?
Sounds good! While I was on the quest to add the --custom-headers parameter, I discovered that the --header parameter was already present and perfectly fit for purpose in args.rs.
I’ve submitted a PR here: https://github.com/svenstaro/miniserve/pull/1389/files. It’s less of creating what wasn’t there and more about illuminating the paths that are rarely taken.
I hope this contribution makes miniserve even more useful. Please let me know if there are any further areas to explore or modifications needed on this enhancement.