fix(backend): Serve valid headers for HSTS and HSTS preload

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

.config/cypress-devcontainer.yml

@@ -174,6 +174,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 

.config/docker_example.yml

@@ -168,6 +168,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 

.config/example.yml

@@ -250,6 +250,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 

.devcontainer/devcontainer.yml

@@ -161,6 +161,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 

chart/files/default.yml

@@ -182,6 +182,12 @@ id: "aidx"
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 

packages/backend/src/config.ts

@@ -28,6 +28,7 @@ type Source = {
 	socket?: string;
 	chmodSocket?: string;
 	disableHsts?: boolean;
+	hstsPreload?: boolean;
 	db: {
 		host: string;
 		port: number;
@@ -107,6 +108,7 @@ export type Config = {
 	socket: string | undefined;
 	chmodSocket: string | undefined;
 	disableHsts: boolean | undefined;
+	hstsPreload: boolean | undefined;
 	db: {
 		host: string;
 		port: number;
@@ -241,6 +243,7 @@ export function loadConfig(): Config {
 		socket: config.socket,
 		chmodSocket: config.chmodSocket,
 		disableHsts: config.disableHsts,
+		hstsPreload: config.hstsPreload ?? false,
 		host,
 		hostname,
 		scheme,

packages/backend/src/server/ServerService.ts

@@ -31,6 +31,7 @@ import { HealthServerService } from './HealthServerService.js';
 import { ClientServerService } from './web/ClientServerService.js';
 import { OpenApiServerService } from './api/openapi/OpenApiServerService.js';
 import { OAuth2ProviderService } from './oauth/OAuth2ProviderService.js';
+import { makeHstsHook } from './hsts.js';
 
 const _dirname = fileURLToPath(new URL('.', import.meta.url));
 
@@ -81,12 +82,9 @@ export class ServerService implements OnApplicationShutdown {
 		this.#fastify = fastify;
 
 		// HSTS
-		// 6months (15552000sec)
 		if (this.config.url.startsWith('https') && !this.config.disableHsts) {
-			fastify.addHook('onRequest', (request, reply, done) => {
+			const preload = this.config.hstsPreload;
-				reply.header('strict-transport-security', 'max-age=15552000; preload');
+			fastify.addHook('onRequest', makeHstsHook(preload));
-				done();
-			});
 		}
 
 		// Register raw-body parser for ActivityPub HTTP signature validation.

packages/backend/src/server/hsts.ts

@@ -0,0 +1,26 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import type {  FastifyReply, FastifyRequest } from "fastify";
+
+export function hstsHook(_request: FastifyRequest, reply: FastifyReply, done: () => void) {
+    reply.header('strict-transport-security', 'max-age=15552000');
+    done();
+}
+
+export function hstsPreloadHook(request: FastifyRequest, reply: FastifyReply, done: () => void) {
+	// we must permanent redirect http to https for preload to be eligible
+    if ((request.headers['x-forwarded-proto'] ?? request.protocol) === 'http') {
+        reply.redirect(`https://${request.hostname}${request.url}`, 301);
+        return;
+    }
+    // 1 year is mandatory for preload
+    reply.header('strict-transport-security', 'max-age=31536000; includeSubDomains; preload');
+}
+
+// 6months (15552000sec) by default, 1year (31536000sec) if preload is enabled
+export function makeHstsHook(preload: boolean = false) {
+    return preload ? hstsPreloadHook : hstsHook;
+}

packages/backend/src/server/web/ClientServerService.ts

@@ -52,6 +52,7 @@ import { FeedService } from './FeedService.js';
 import { UrlPreviewService } from './UrlPreviewService.js';
 import { ClientLoggerService } from './ClientLoggerService.js';
 import type { FastifyInstance, FastifyPluginOptions, FastifyReply } from 'fastify';
+import { makeHstsHook } from '../hsts.js';
 
 const _filename = fileURLToPath(import.meta.url);
 const _dirname = dirname(_filename);
@@ -214,6 +215,12 @@ export class ClientServerService {
 				return;
 			}
 
+			// HSTS
+			if (this.config.url.startsWith('https') && !this.config.disableHsts) {
+				const preload = this.config.hstsPreload;
+				fastify.addHook('onRequest', makeHstsHook(preload));
+			}
+
 			// %71ueueとかでリクエストされたら困るため
 			const url = decodeURI(request.routeOptions.url);
 			if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {