Given that HSTS is nothing more than an HTTP header, as long as you serve that header then you’re good to go.
As far as how to go about doing that, it really depends on your application. If you’re just serving static files with one of the builtins for example, then you’d need to do a bit of customising as, to my knowledge, there is no way to provide response headers besides sending them from your application (ie there’s no way to configure the layers between your application and the end user to apply headers on behalf of your app)
As an example, my static site is served using an nginx docker image deployed to Fly but if you have a running application, there should be a way to provide response headers.
If you can provide some more information on the type of thing you’re deploying, I’m sure the community would be happy to provide some pointers.
Just a quick note that I have a flag in the pipeline to have our edge CDN automatically handle HSTS for apps if they’re marked “secure”. You can absolutely just set the header yourself, but we’re going to make this easy, soon.
In general, one thing that usually seems harder than it needs to be for small time users hosting a static site, is enforcing proper security headers such as HSTS, X-Frame-Options and all the other security headers that help me get an A+ on my good boy security posture report card
Personally, I think Netlify solves this nicely through netlify.toml but then it leaves me kind of annoyed that I can’t poke at their underlying infrastructure. Github Pages provides no configuration beyond a custom domain either. Fly seems like that sweet spot (paradoxically) between allowing “basically no config” at the same time as “i want to touch everything if and when i need to”
Having said that, I’d prefer to just use the built ins for my site but then I end up dropping out to creating a custom Docker image with config to add headers (and eventually access log shipping for basic analytics), which is fine to do but to some extent, it feels like yak shaving. The fact I can do that without leaving the platform is a big win though.
Having said all this, whether this is actually something Fly could or should be concerned with providing is an entirely different story! Is there a line that shouldn’t be crossed where you start blurring into what is almost developer experience as opposed to staying in the well defined area of deployment? Beats me but it seems like an easy win for less experienced users to configure headers without having to drop out of the builtins I think
This is great! I think generally features where we optionally set some sane set of headers are pretty easy for us to do, so I’m kind of on the lookout for them. We’re very interested in letting people deploy static assets without having a lot of compute behind them; there’s more news coming out about that too.
Thanks!
If anyone things of headers they want our CDN layer to be able to set, we’re interested!
This is now basically unrelated to the thread but as far as static stuff goes, I imagine a diagram in my head where it’s like Hello, I would like to:
Deploy a static site
Poke around the server logs to know if people are using it[1]
Not have to do everything myself
and so far, I can only pick two. Netlify let me do 2 1/2 but paying $9/month per domain just for analytics (hosting is weirdly free) AND I can’t get a copy of the logs feels like I’m a bit too far removed from my deployment. Admittedly, I’d happily pay $9/month if they’d just send me the raw access logs and I analyse them myself!
[1]: For a variety of reasons: Privacy for visitors but also users block analytics scripts (I do too!) and it’s one less request for the user to make when the data I’m after (what pages are visited, what weird bots are making requests) already exists on some server somewhere
You can absolutely just set the header yourself, but we’re going to make this easy, soon.
How do we set the header ourselves? In this case, I’m running a third-party Docker image and I won’t be able to easily modify the source code to set that header.