Merge pull request #136 from jdno/configure-hsts-for-crates-io

Enable response header policy for staging.crates.io

Author: jdno

terraform/crates-io/.terraform.lock.hcl

@@ -42,4 +42,6 @@ module "staging" {
   webapp_origin_domain = "staging-crates-io.herokuapp.com"
 
   iam_prefix = "staging-crates-io"
+
+  strict_security_headers = true
 }

terraform/crates-io/envs.tf

@@ -59,3 +59,8 @@ variable "dns_apex" {
   type    = bool
   default = false
 }
+
+variable "strict_security_headers" {
+  type    = bool
+  default = false
+}

terraform/crates-io/impl/_terraform.tf

@@ -25,6 +25,8 @@ resource "aws_cloudfront_distribution" "webapp" {
     min_ttl     = 0
     max_ttl     = 31536000 // 1 year
 
+    response_headers_policy_id = var.strict_security_headers ? aws_cloudfront_response_headers_policy.webapp[0].id : null
+
     forwarded_values {
       headers = [
         // The crates.io website and API respond with different content based
@@ -125,3 +127,22 @@ resource "aws_route53_record" "webapp_apex" {
     evaluate_target_health = false
   }
 }
+
+# Set strict-transport-security headers for crates.io and its subdomains
+# See https://github.com/rust-lang/crates.io/issues/5332 for details
+resource "aws_cloudfront_response_headers_policy" "webapp" {
+  count = var.strict_security_headers ? 1 : 0
+
+  name = replace(var.webapp_domain_name, ".", "-")
+
+  security_headers_config {
+    strict_transport_security {
+      access_control_max_age_sec = 31536000
+      include_subdomains         = true
+      preload                    = false
+
+      # Override the response header received from the origin
+      override = true
+    }
+  }
+}