Adding HSTS headers in app.yaml (Google App Engine)

故事扮演 提交于 2021-02-19 03:42:08

问题


I have the following handlers section in my app.yaml:

handlers:
  - url: /(robots\.txt|sitemap\.xml)
    static_files: \1
    upload: (robots\.txt|sitemap\.xml)
    secure: always
    http_headers:
      Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload'
  - url: /.*
    script: main.app
    secure: always
    http_headers:
      Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload'

and another subdomain, served by the another submodule (static.yaml) has the following:

handlers:
  - url: /
    static_dir: files
    secure: always
    http_headers:
      Access-Control-Allow-Origin: '*'
      Strict-Transport-Security: 'max-age=63072000; preload'

I was able to deploy static.yaml without any issues to the appengine:

$ appcfg.py update static.yaml
12:48 PM Host: appengine.google.com
12:48 PM Application: XXXXXX; module: static; version: 1
12:48 PM
Starting update of app: XXXXXXXX, module: static, version: 1
12:48 PM Getting current resource limits.
12:48 PM Scanning files on local disk.
[...]
[...]
12:49 PM Checking if updated app version is serving.
12:49 PM Completed update of app: XXXXXX, module: static, version: 1

whereas, when I try to update the app.yaml configuration, I get:

$ appcfg.py update app.yaml
12:48 PM Host: appengine.google.com
Usage: appcfg.py [options] update <directory> | [file, ...]

appcfg.py: error: Error parsing .\app.yaml: Unexpected attribute "http_headers" for mapping type script.
  in ".\app.yaml", line 31, column 1.

I understand that it means I'd have to handle HSTS configuration in my python script itself. But, I have ~10 handlers in the main.app interface. Instead of updating each of those to add the STS header, is there some alternative to do so at app.yaml level itself?

Checking the app.yaml reference on GAE, there is no mention of restriction of http_header directive in script type mapping.


回答1:


You can use app.yaml to control HTTP headers for static file handlers and not dynamic handlers. You would need to set the header within your app code.




回答2:


As the doc: https://cloud.google.com/appengine/docs/flexible/nodejs/using-custom-domains-and-ssl

You cannot use Strict-Transport-Security headers unless your domain is whitelisted. To place your domain in the whitelist, contact ...

UPDATE

As of 2018, custom domains don't need to be whitelisted. In other words, HSTS headers are not stripped out anymore.




回答3:


I was looking over http headers in app.yaml today and saw this. It appears to be related to your issue.

In addition, the header Strict-Transport-Security is removed from responses served from any domains other than *.appspot.com.

https://cloud.google.com/appengine/docs/python/how-requests-are-handled#Python_Responses



来源:https://stackoverflow.com/questions/39544193/adding-hsts-headers-in-app-yaml-google-app-engine

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!