HSTS on Fly

Hi folks!

Let’s say I have an app running on Fly where TLS and certificates are handled by Fly.

Is it possible to somehow use HSTS in this scenario? (HTTP Strict Transport Security)

If it is possible I would love some guidance on how to configure it.

2 Likes

Hey there,

Given that HSTS is nothing more than an HTTP header, as long as you serve that header then you’re good to go.

As far as how to go about doing that, it really depends on your application. If you’re just serving static files with one of the builtins for example, then you’d need to do a bit of customising as, to my knowledge, there is no way to provide response headers besides sending them from your application (ie there’s no way to configure the layers between your application and the end user to apply headers on behalf of your app)

As an example, my static site is served using an nginx docker image deployed to Fly but if you have a running application, there should be a way to provide response headers.

If you can provide some more information on the type of thing you’re deploying, I’m sure the community would be happy to provide some pointers.

1 Like

Hi Marcus,

So far I don’t have any image or application to provide examples from.

To be honest I think I made it more complicated in my mind than it needed to be :smile_cat:

As you said, for any custom application it’s simply a question of emitting the Strict-Transport-Security header.

I think I know how to proceed.

Thank you for your reply!

1 Like

Just a quick note that I have a flag in the pipeline to have our edge CDN automatically handle HSTS for apps if they’re marked “secure”. You can absolutely just set the header yourself, but we’re going to make this easy, soon.

1 Like

@thomas So what I’m hearing is there could be the possibility for customers to set custom headers at the CDN level in future? :stuck_out_tongue:

What headers would you like to be able to set?

In general, one thing that usually seems harder than it needs to be for small time users hosting a static site, is enforcing proper security headers such as HSTS, X-Frame-Options and all the other security headers that help me get an A+ on my good boy security posture report card :stuck_out_tongue:

Personally, I think Netlify solves this nicely through netlify.toml but then it leaves me kind of annoyed that I can’t poke at their underlying infrastructure. Github Pages provides no configuration beyond a custom domain either. Fly seems like that sweet spot (paradoxically) between allowing “basically no config” at the same time as “i want to touch everything if and when i need to”

Having said that, I’d prefer to just use the built ins for my site but then I end up dropping out to creating a custom Docker image with config to add headers (and eventually access log shipping for basic analytics), which is fine to do but to some extent, it feels like yak shaving. The fact I can do that without leaving the platform is a big win though.

Having said all this, whether this is actually something Fly could or should be concerned with providing is an entirely different story! Is there a line that shouldn’t be crossed where you start blurring into what is almost developer experience as opposed to staying in the well defined area of deployment? :woman_shrugging: Beats me but it seems like an easy win for less experienced users to configure headers without having to drop out of the builtins I think

1 Like

This is great! I think generally features where we optionally set some sane set of headers are pretty easy for us to do, so I’m kind of on the lookout for them. We’re very interested in letting people deploy static assets without having a lot of compute behind them; there’s more news coming out about that too.

Thanks!

If anyone things of headers they want our CDN layer to be able to set, we’re interested!

1 Like

This is now basically unrelated to the thread but as far as static stuff goes, I imagine a diagram in my head where it’s like Hello, I would like to:

  • Deploy a static site
  • Poke around the server logs to know if people are using it[1]
  • Not have to do everything myself

and so far, I can only pick two. Netlify let me do 2 1/2 but paying $9/month per domain just for analytics (hosting is weirdly free) AND I can’t get a copy of the logs feels like I’m a bit too far removed from my deployment. Admittedly, I’d happily pay $9/month if they’d just send me the raw access logs and I analyse them myself!

[1]: For a variety of reasons: Privacy for visitors but also users block analytics scripts (I do too!) and it’s one less request for the user to make when the data I’m after (what pages are visited, what weird bots are making requests) already exists on some server somewhere