HTTP Strict Transport Security is a very nice feature. By returning a response with this header set from a properly configured HTTPS site, you instruct the browsers to don't try to contact your server over unsecured channels again. At least until the validity of the header times out. Even better, by submitting your domain to google, they'll put it on a list that is embedded by all the major browsers, so that the browser will insist on using a secured channel even the first time it connects to your server. Great stuff, you should use it!
Now I maintain the code for a few web sites, and as a precaution against my own fuck-ups, I have set up a virtual mirror of my hosting environments as a staging area. That is where I deploy my code once I think I have done something useful to it, and if it works there, I go on and deploy it to the actual production servers. Again, VirtualBox makes this easy and straight forward to do.
The final piece of the puzzle is of course to hack the hosts file on my system so that Server Name Indication (SNI) works as it should on my virtual staging boxes. Since I don't want to block access to the production servers I have created my own internal TLD (.dev as it happens,) and use names under that TLD to reach my staging setups. This has worked flawlessly for a long time.
Just this weekend I had to pick up an old project for some fairly simple fixes. The code changes didn't take much time, deploying to the staging server is always more painful, but not more than usual. It's when I point my web browser to the staging site to see that everything works the pain begins... Firefox helpfully informs me that the site is using HSTS, so a self signed cert will not do, thank you! Qutebrowser just hangs around and does nothing... Curl is happy giving me the site, as long as I tell it to not be too picky about the cert. So I know the server is working, and as expected the returned headers don't mention anything at all about HTTP Strict Transport Security. No matter how sternly I frown, nothing can convince Firefox or Qutebrowser to show me my site.
Checking
https://hstspreload.org to see if some nuthead has submittet my internal site to the HSTS preload list, and sure enough - there it is! That's when I discovered Google has registered the .dev top level domain, and I'll have to find myself another one for my internal tests. That means reconfiguring my staging vms, regenerating certs and changing my hosts files as well. Hopefully I can find something that will never be an official TLD, so nobody will submit any name that matches mine to the HSTS preload list.
Grumpf!
#
hsts #
tld #
webdev #
tls #
security #
programming