Hi folks!
Let’s say I have an app running on Fly where TLS and certificates are handled by Fly.
Is it possible to somehow use HSTS in this scenario? (HTTP Strict Transport Security)
If it is possible I would love some guidance on how to configure it.
Hey there,
Given that HSTS is nothing more than an HTTP header, as long as you serve that header then you’re good to go.
As far as how to go about doing that, it really depends on your application. If you’re just serving static files with one of the builtins for example, then you’d need to do a bit of customising as, to my knowledge, there is no way to provide response headers besides sending them from your application (ie there’s no way to configure the layers between your application and the end user to apply headers on behalf of your app)
As an example, my static site is served using an nginx docker image deployed to Fly but if you have a running application, there should be a way to provide response headers.
If you can provide some more information on the type of thing you’re deploying, I’m sure the community would be happy to provide some pointers.
Hi Marcus,
So far I don’t have any image or application to provide examples from.
To be honest I think I made it more complicated in my mind than it needed to be 
As you said, for any custom application it’s simply a question of emitting the Strict-Transport-Security header.
I think I know how to proceed.
Thank you for your reply!
Just a quick note that I have a flag in the pipeline to have our edge CDN automatically handle HSTS for apps if they’re marked “secure”. You can absolutely just set the header yourself, but we’re going to make this easy, soon.
@thomas So what I’m hearing is there could be the possibility for customers to set custom headers at the CDN level in future? 
What headers would you like to be able to set?
In general, one thing that usually seems harder than it needs to be for small time users hosting a static site, is enforcing proper security headers such as HSTS, X-Frame-Options and all the other security headers that help me get an A+ on my good boy security posture report card
Personally, I think Netlify solves this nicely through netlify.toml but then it leaves me kind of annoyed that I can’t poke at their underlying infrastructure. Github Pages provides no configuration beyond a custom domain either. Fly seems like that sweet spot (paradoxically) between allowing “basically no config” at the same time as “i want to touch everything if and when i need to”
Having said that, I’d prefer to just use the built ins for my site but then I end up dropping out to creating a custom Docker image with config to add headers (and eventually access log shipping for basic analytics), which is fine to do but to some extent, it feels like yak shaving. The fact I can do that without leaving the platform is a big win though.
Having said all this, whether this is actually something Fly could or should be concerned with providing is an entirely different story! Is there a line that shouldn’t be crossed where you start blurring into what is almost developer experience as opposed to staying in the well defined area of deployment? 
Beats me but it seems like an easy win for less experienced users to configure headers without having to drop out of the builtins I think
This is great! I think generally features where we optionally set some sane set of headers are pretty easy for us to do, so I’m kind of on the lookout for them. We’re very interested in letting people deploy static assets without having a lot of compute behind them; there’s more news coming out about that too.
Thanks!
If anyone things of headers they want our CDN layer to be able to set, we’re interested!
This is now basically unrelated to the thread but as far as static stuff goes, I imagine a diagram in my head where it’s like Hello, I would like to:
and so far, I can only pick two. Netlify let me do 2 1/2 but paying $9/month per domain just for analytics (hosting is weirdly free) AND I can’t get a copy of the logs feels like I’m a bit too far removed from my deployment. Admittedly, I’d happily pay $9/month if they’d just send me the raw access logs and I analyse them myself!
[1]: For a variety of reasons: Privacy for visitors but also users block analytics scripts (I do too!) and it’s one less request for the user to make when the data I’m after (what pages are visited, what weird bots are making requests) already exists on some server somewhere
Hi @thomas!
I have an app running on Fly with TLS certificates. A snippet of my fly.toml:
[[services]]
# ...
[[services.ports]]
force_https = true
handlers = ["http"]
port = 80
[[services.ports]]
handlers = ["tls", "http"]
port = 443
# ...
I used https://securityheaders.com/ to scan the app, and the only thing it dinged me on was a missing HSTS header.
According to the docs, it sounds like force_https takes care of this? Healthcare apps on Fly · Fly Docs
You can absolutely just set the header yourself, but we’re going to make this easy, soon.
How do we set the header ourselves? In this case, I’m running a third-party Docker image and I won’t be able to easily modify the source code to set that header. 