Configuration of HTTP Strict Transport Security (HSTS) for GitLab Managed Applications
Release notes
Problem to solve
As a deployer of a production, revenue generating site, I need to have control over the configuration for HTTP Strict Transport Security (HSTS) used on my deployed application. These are dictated requirements to be included on browser pre-load lists, and evaluated as part of pen tests or other 3rd-party security evaluations.
At a minimum, max-age
needs to be able to be configured to the minimum required value to be eligible for Chrome's preload list (which has some other requirements) From a product perspective, it would likely need to be configurable per-environment with values something like what is described in: https://hstspreload.org/#deployment-recommendations.
Intended users
User experience goal
Proposal
For an example of a product that has set fixed deployment options as defaults, then allows customization: https://docs.fastly.com/en/guides/enabling-hsts-through-fastly
Further details
Permissions and Security
Project Maintainers and Owners will have additional configuration available to them for each environment.
-
Add expected impact to Maintainer (40) members -
Add expected impact to Owner (50) members -
Documentation
Availability & Testing
What does success look like, and how can we measure that?
We (GitLab) have several of our own external sites deployed this way, and receive lower scores on 3rd-party assessments. This would be an issue for anyone using GitLab to deploy their production sites. We will be successful when the configuration is easily managed and doesn't revert.
What is the type of buyer?
The buyer for this feature is the organization DRI for maintaining a trustworthy security posture for external, revenue generating sites deployed with GitLab.
Is this a cross-stage feature?
Links / references
Here is a Qualys's blog on the subject of HSTS: https://blog.qualys.com/vulnerabilities-research/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server