[Ready for Review] Add HSTS (HTTP Strict Transport Security) support #3165
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit implements HSTS as a built-in Nebari feature, addressing
security compliance requirements mentioned in the related issue.
Changes:
- Add HSTS configuration schema to Ingress class with options for:
- enabled: Toggle HSTS on/off (default: false)
- max_age: HSTS max-age in seconds (default: 31536000 = 1 year)
- include_subdomains: Include subdomains in policy (default: true)
- preload: Enable HSTS preload (default: false)
- Create Traefik middleware resource for HSTS headers
- Conditionally created based on hsts-enabled setting
- Applies to both websecure (443) and minio (9080) entrypoints
- Update Traefik deployment to use HSTS middleware when enabled
Users can now enable HSTS in their nebari-config.yaml:
```yaml
ingress:
hsts:
enabled: true
max_age: 31536000
include_subdomains: true
preload: false
```
This replaces the previous workaround of manually creating middleware
resources and using terraform_overrides.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed the default HSTS max-age from 31536000 (1 year) to 30 seconds to allow safe initial testing of HSTS configuration. Rationale: - HSTS headers instruct browsers to remember HTTPS enforcement for the specified duration - If misconfigured with a long max-age, users could be locked out until the duration expires - A 30-second default allows administrators to validate the configuration works correctly before committing to a longer duration Added detailed comments in: - Python schema (__init__.py) explaining the conservative default - Terraform variables (variables.tf) noting the production recommendation - Middleware resource (hsts-middleware.tf) with example configuration Users should increase max_age to production values (e.g., 31536000) after validating their deployment works correctly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Adam-D-Lewis
requested review from
dcmcand and
marcelovilla
and removed request for
a team
Adam-D-Lewis
changed the title
6 tasks
Adam-D-Lewis
commented
Oct 28, 2025
| cert_type = config.get("certificate", {}).get( | ||
| "type", CertificateEnum.selfsigned.value | ||
| ) | ||
| is_valid_cert = cert_type in [CertificateEnum.letsencrypt.value, "existing"] |
There was a problem hiding this comment.
add hsts to nebari config on nebari init ... if cert type is letsencrypt or existing
Adam-D-Lewis
commented
Oct 28, 2025
|
|
||
| # Initialize HSTS based on certificate type if not explicitly configured | ||
| hsts = self.config.ingress.hsts | ||
| if hsts is None: |
There was a problem hiding this comment.
if hsts is not in config, then default to enabling it for lets-encrypt and existing certs, otherwise default to disabling it
Adam-D-Lewis
changed the title
Adam-D-Lewis
changed the title
|
This will be pushed to a minor release after this one is done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #3121
Docs Issue - nebari-dev/nebari-docs#605
We should add some stuff in the next release upgrade - #3168
Summary
This PR adds built-in HSTS (HTTP Strict Transport Security) configuration to Nebari's ingress layer.
If HSTS is unspecified, then it will be enabled for existing, and let's encrypt certs, but not enabled for self-signed or no cert.
Example Configuration