Goal
Enable HSTS on your Platform.sh project. Read more about HSTS on Wikipedia.
Assumptions
You will need:
- A local git repository that has the Platform.sh project as a git remote
- A working application setup on the Platform.sh project
This how-to works whether you use the auto-generated domains on platformsh.site or your own custom domain.
Steps
1. Check https is enabled
The ./.platform/routes.yaml should contain only the https directive:
https://{default}/:
type: upstream
upstream: app:http
2. Add the strict_transport_security configuration item to your route file:
./.platform/routes.yaml
https://{default}/:
type: upstream
upstream: app:http
tls:
strict_transport_security:
enabled: true
include_subdomains: true
preload: true
Please refer to the Platform.sh documentation for details about the different parameters.
3. Commit and deploy the change
git add .platform/routes.yaml
git commit -m "Enable HSTS"
git push platform master
4. Check HSTS is enabled
Check the response headers being sent by the server. This can checked with the browser console or curl:
$ curl -I https://master-7rqtwti-<project id>.<region>.platformsh.site
HTTP/2 200
...
strict-transport-security: max-age=31536000; includeSubDomains; preload
...
Any request to the http endpoint will be upgraded to https:
$ curl -I http://master-7rqtwti-<project id>.<region>.platformsh.site
HTTP/1.1 301 Moved Permanently
...
Location: https://master-7rqtwti-<project id>.<region>.platformsh.site/
Strict-Transport-Security: max-age=0
...
Conclusion
As Platform.sh configuration already includes the strict_transport_security parameter, enabling HSTS was a simple configuration change without the need to customize the response directly in your application.