HSTS Preloading using Nginx, Letsencrypt and Capistrano.😎

Sonica Arora — Mon, 15 Oct 2018 14:40:36 +0000

Quick tip: HSTS stands for HTTPS Strict Transport Security.

HSTS is a security policy mechanism that protects against protocol downgrade attacks. In simple terms it means forcing the browsers to always use https over http for your website. HSTS also protects against cookie hijacking but we'll leave that discussion out for another post.

In the post below we talk about how to quickly configure your web-server (nginx) to imply HSTS on all subsequent requests and then hardcode this rule into Chrome and other major browsers to default on https for your website using HSTS preloading.

We're doing this on Bubblin Superbooks now. 😇

I recommend reading the following blog by Scott Helme to learn more about HSTS preloading.

…a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser. This list is compiled by Google and is utilised by Chrome, Firefox and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy, instead the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place.

The ‘preloading’ part here is a way for site administrators to tell the vendors in advance that their site is on https only. This way browsers can skip trying downgraded requests over insecure http altogether.

HSTS directive for Nginx

Now we use the old boy Capistrano for automatic deployments of Bubblin and serve books over https only, so configuring nginx over to strict https with preloads was super easy. I edited the template picked up by the capistrano3-nginx gem for http --> https redirection and added the following directive at the end of the file to what is now our latest nginx config template.


# Path to ./config/deploy/templates/nginx_conf.erb on your rails app
# Jump over to the last line!
… 

server {
    listen 80;
    listen [::]:80 ipv6only=on; 
    server_name <%= fetch(:nginx_server_name) %> www.<%= fetch(:nginx_server_name) %>;
    rewrite ^(.*) https://$host$1$request_uri permanent;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;  
  server_name www.<%= fetch(:nginx_server_name) %>;


  # Redirection from http --> https is mandatory.
  rewrite ^ https://<%= fetch(:nginx_server_name) %>$request_uri permanent; 

}

server {
  server_name <%= fetch(:nginx_server_name) %>;
  root <%= current_path %>/public;
  try_files $uri/index.html $uri @puma_<%= fetch(:nginx_config_name) %>;

  …
  …

  # Plenty of nginx configuration here.

  # SSL is mandatory for HSTS. We're using 
  # Certbot to manage Letsencrypt for us.

  listen 443 ssl http2; # managed by Certbot
  listen [::]:443 ssl http2;



  # Add HSTS header with preload. This is the line that does it.
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

}

The HSTS directive add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; at the bottom does it and tells the user's browser to always use https for your site.

Commit the changes and then re-deploy ($ cap production deploy). Now head over to hstspreload.org.

This is where we submit our site for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list. The list of sites that are hardcoded into Chrome as being https only. Most major browsers like Firefox, Opera, Safari, IE 11 and Edge also have HSTS preload lists based on the list compiled by Chrome. In order to be accepted to and remain on the HSTS preload list through this form, your site must satisfy the following set of requirements perpetually:

1. Serve a valid certificate.
2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
3. Serve all subdomains over HTTPS.
    In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
4. Serve an HSTS header on the base domain for HTTPS requests:
    i. The max-age must be at least 31536000 seconds (1 year).
    ii. The includeSubDomains directive must be specified.
    iii. The preload directive must be specified.
    iv. If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

It should also be noted here that hardcoding HSTS preloading into browsers doesn't automatically mean that all aspects of security have been taken care of. It surely helps with security and plus there is a small improvement in speed and performance of your web-server because it no longer has to determine and switch between secure and insecure protocols.

That's all there is to it with HSTS folks. ❤️

I'm Sonica Arora, CTO of Bubblin Superbooks and you can follow me here on Twitter.

P.S.: Did you know that Bubblin is a cool new way to read books on your iPad?

We got our green cards and here is our startup!

Sonica Arora — Thu, 30 Aug 2018 12:31:11 +0000

TLDR; Meet ✨Bubblin Superbooks–A modern book reader for web.✨

[…a huge yay!, a thousand 🎉🎉🎉s pop, and the 🍾🍾🍾 flows and a million 🎊 🎊 🎊 fall to the ground…]

Hello!

It feels awesome to finally be able to say this (after five years of wait):

We have a startup! 😇

Meet Bubblin Superbooks - a fun little project that my husband and I have built using Ruby on Rails, Postgres and JavaScript (Node). Bubblin is tablet first, so please pick up your iPad and flip open a book to start reading.

A little backstory. We always thought that if books are not files, why should e-books be?! To escape this notion of a file masquerading as an e-book (sic), we created Bubblin Superbooks and gave free and beautiful books a new home on web.

On Bubblin, you can heart books that you like or share them with your friends. Or you can simply hangout with other book lovers and be a part of a quiet, calm and level-headed community.

Since Bubblin is all about reading longform, we wanted the books to go offline-first. How couldn't we?!

We use a simple Service Worker instance under each book and introduce offline book reading on web, thus making it a very close to experience of reading real books offline. While Bubblin has been designed for a power tablet user on mind, it works just as good on desktops and mobile. It scales perfectly even on Apple Watch and an LCD TV.

Bubblin makes books enjoyable like never before, without ever needing us to leave the one place that we have come to love so much—the web! And, without felling a single happy tree! 🌱:)

For books we're relying on the awesome Gutenberg classics along with a few+new+titles contributed by the awesome community of writers. There's an OSS writer's tool in the works so hit me up if you wish it give its prerelease a go!

Now there's a lot going on with this little project of ours, and not everything is cool or even easy to reason about at the moment. But I'm sure that some of you’ll like it and share a word about us with your friends.

Good or bad, we are eager to hear your thoughts and feedback in the comments below.

An alternate version of this article appeared on The Bubblin Blog.

DEV Community: Sonica Arora

HSTS Preloading using Nginx, Letsencrypt and Capistrano.😎

HSTS directive for Nginx

We got our green cards and here is our startup!