Implementing HSTS for Your AWS ElasticBeanstalk Application
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking by telling browsers that they should only interact with the website using secure HTTPS connections.
What HSTS Does
HSTS instructs browsers to:
- Automatically convert all HTTP requests to HTTPS
- Prevent users from bypassing certificate warnings
- Remember this policy for a specified period (typically 6 months to 2 years)
This provides significant security benefits by ensuring all communication with your site happens over encrypted connections.
Implementing HSTS with Nginx on ElasticBeanstalk
Since your application uses Nginx with SSL termination and Certbot for certificate management, here's how to implement HSTS:
1. Create a Custom Nginx Configuration
Create a directory structure for your custom Nginx configuration:
mkdir -p .platform/nginx/conf.d/
2. Create an HSTS Configuration File
Create a file named .platform/nginx/conf.d/hsts.conf with the following content:
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
This configuration:
- Sets the HSTS policy to be valid for 1 year (31536000 seconds)
- Applies the policy to all subdomains with
includeSubDomains
- Includes the
preload directive to make your site eligible for inclusion in browsers' HSTS preload lists
- Uses
always to ensure the header is sent with all response codes (not just 200 OK)
3. Deploy Your Application
After adding this configuration, deploy your application to ElasticBeanstalk. The custom Nginx configuration will be applied automatically.
Important Considerations
Testing Before Full Deployment
Before implementing a long max-age, consider testing with a shorter duration:
add_header Strict-Transport-Security "max-age=300; includeSubDomains" always;
This sets the policy to expire after 5 minutes, allowing you to test without long-term commitment.
Impact on Help Scout Beacon
The HSTS policy won't affect your Help Scout beacon as long as:
- The beacon is loaded over HTTPS
- All resources the beacon loads are served over HTTPS
Since Help Scout serves all its content over HTTPS, your beacon should continue to function normally with HSTS enabled.
Preloading Consideration
The preload directive makes your site eligible for inclusion in browsers' built-in HSTS preload lists. Before including this:
- Ensure you're prepared to maintain HTTPS for your entire domain and all subdomains permanently
- Verify all resources on your site are served over HTTPS
If you want to actually submit your site to the preload list, you'll need to visit hstspreload.org and follow their submission process.
Monitoring and Verification
After implementing HSTS:
-
Verify the header is being sent correctly:
curl -I https://booklist.media | grep Strict-Transport-Security
-
Test your site with SSL Labs to ensure proper HTTPS configuration
Conclusion
By implementing HSTS, you'll significantly enhance your application's security by ensuring all client-server communication happens over HTTPS. The configuration is straightforward with Nginx on ElasticBeanstalk and works seamlessly with your existing Certbot SSL setup.
Implementing HSTS for Your AWS ElasticBeanstalk Application
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking by telling browsers that they should only interact with the website using secure HTTPS connections.
What HSTS Does
HSTS instructs browsers to:
This provides significant security benefits by ensuring all communication with your site happens over encrypted connections.
Implementing HSTS with Nginx on ElasticBeanstalk
Since your application uses Nginx with SSL termination and Certbot for certificate management, here's how to implement HSTS:
1. Create a Custom Nginx Configuration
Create a directory structure for your custom Nginx configuration:
2. Create an HSTS Configuration File
Create a file named
.platform/nginx/conf.d/hsts.confwith the following content:This configuration:
includeSubDomainspreloaddirective to make your site eligible for inclusion in browsers' HSTS preload listsalwaysto ensure the header is sent with all response codes (not just 200 OK)3. Deploy Your Application
After adding this configuration, deploy your application to ElasticBeanstalk. The custom Nginx configuration will be applied automatically.
Important Considerations
Testing Before Full Deployment
Before implementing a long max-age, consider testing with a shorter duration:
This sets the policy to expire after 5 minutes, allowing you to test without long-term commitment.
Impact on Help Scout Beacon
The HSTS policy won't affect your Help Scout beacon as long as:
Since Help Scout serves all its content over HTTPS, your beacon should continue to function normally with HSTS enabled.
Preloading Consideration
The
preloaddirective makes your site eligible for inclusion in browsers' built-in HSTS preload lists. Before including this:If you want to actually submit your site to the preload list, you'll need to visit hstspreload.org and follow their submission process.
Monitoring and Verification
After implementing HSTS:
Verify the header is being sent correctly:
curl -I https://booklist.media | grep Strict-Transport-SecurityTest your site with SSL Labs to ensure proper HTTPS configuration
Conclusion
By implementing HSTS, you'll significantly enhance your application's security by ensuring all client-server communication happens over HTTPS. The configuration is straightforward with Nginx on ElasticBeanstalk and works seamlessly with your existing Certbot SSL setup.