HSTS
Http4s provides a Middleware giving support for HTTP Strict Transport Security (HSTS).
The middleware is called HSTS and simply adds a header to enable a HSTS security policy.
Though it is not enforced, HSTS only makes sense for an https service.
Examples in this document have the following dependencies.
libraryDependencies ++= Seq(
"org.http4s" %% "http4s-dsl" % http4sVersion,
"org.http4s" %% "http4s-server" % http4sVersion
)
And we need some imports.
import org.http4s._
import org.http4s.dsl.io._
import cats.effect.IO
Let’s make a simple service that will be exposed and wrapped with HSTS.
val service = HttpService[IO] {
case _ =>
Ok("ok")
}
// service: HttpService[IO] = Kleisli(
// org.http4s.HttpService$$$Lambda$12903/708292025@2ac4f0a1
// )
val request = Request[IO](Method.GET, uri("/"))
// request: Request[IO] = Request(
// Method("GET"),
// Uri(None, None, "/", Query(), None),
// HttpVersion(1, 1),
// Headers(),
// Stream(..),
// org.http4s.AttributeMap@8cf85da
// )
// Do not call 'unsafeRunSync' in your code
val response1 = service.orNotFound(request).unsafeRunSync
// response1: Response[IO] = Response(
// Status(200),
// HttpVersion(1, 1),
// Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L)
// ),
// Stream(..),
// org.http4s.AttributeMap@8cf85da
// )
response1.headers
// res0: Headers = Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L)
// )
If we were to wrap this on the HSTS middleware.
import org.http4s.server.middleware._
val hstsService2 = HSTS(service)
// hstsService2: HttpService[IO] = Kleisli(
// org.http4s.server.middleware.HSTS$$$Lambda$13524/963615858@10deb3e6
// )
// Do not call 'unsafeRunSync' in your code
val response2 = hstsService2.orNotFound(request).unsafeRunSync
// response2: Response[IO] = Response(
// Status(200),
// HttpVersion(1, 1),
// Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L),
// Strict-Transport-Security(31536000L, true, false)
// ),
// Stream(..),
// org.http4s.AttributeMap@8cf85da
// )
response2.headers
// res1: Headers = Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L),
// Strict-Transport-Security(31536000L, true, false)
// )
Now the response has the Strict-Transport-Security header which will mandate browsers
supporting HSTS to always connect using https.
As described in Middleware, services and middleware can be composed though HSTS
is something you may want enabled across all your routes.
Configuration
By default HSTS is configured to indicate that all requests during 1 year
should be done over https and it will contain the includeSubDomains directive by default.
If you want to preload or change other default values you can pass a custom header, e.g.
import org.http4s.headers._
import scala.concurrent.duration._
val hstsHeader = `Strict-Transport-Security`.unsafeFromDuration(30.days, includeSubDomains = true, preload = true)
// hstsHeader: Strict-Transport-Security = Strict-Transport-Security(
// 2592000L,
// true,
// true
// )
val hstsService3 = HSTS(service, hstsHeader)
// hstsService3: HttpService[IO] = Kleisli(
// org.http4s.server.middleware.HSTS$$$Lambda$13524/963615858@23008a56
// )
// Do not call 'unsafeRunSync' in your code
val response3 = hstsService3.orNotFound(request).unsafeRunSync
// response3: Response[IO] = Response(
// Status(200),
// HttpVersion(1, 1),
// Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L),
// Strict-Transport-Security(2592000L, true, true)
// ),
// Stream(..),
// org.http4s.AttributeMap@8cf85da
// )
response3.headers
// res2: Headers = Headers(
// Content-Type(MediaType(text/plain), Some(Charset(UTF-8))),
// Content-Length(2L),
// Strict-Transport-Security(2592000L, true, true)
// )
References