Istio: Configure Strict-Transport-Security (HSTS)Secure your website by setting the Strict-Transport-Security HTTP header, which is also known as HSTS. This header will inform the browser that it should never load your website using the HTTP protocol, instead the browser should convert all requests to HTTPS. You can easily configure Istio to set this header on each request.
ExplanationIf your website accepts connections via HTTP protocol and redirects the user to HTTPS, visitors could get a non-encrypted version of your site before redirecting. This can be the case if the user for example calls http://www.yoursite.com instead of https://www.yoursite.com This creates an opportunity for a man-in-the-middle attack. Visitors could be redirected to some kind of evil website and not to the HTTPS version of your site.
Set Strict-Transport-Security (HSTS) header in Istio Virtual-Service
You can test your configuration here https://hstspreload.org/ or your complete SSL setup including HSTS with https://www.ssllabs.com/ssltest/. If your test was successful you could also add the "preload" feature. This will add your website to the major browsers HSTS preload lists. Before doing so I recommend reading this paragraph why you should maybe not activate this feature.
kind: VirtualService apiVersion: networking.istio.io/v1beta1 metadata: name: my-virtual-service namespace: default spec: hosts: - yoursite.com gateways: - istio-system/my-gateway http: - name: default-route route: - destination: host: my-service port: number: 80 headers: response: set: Strict-Transport-Security: max-age=31536000; includeSubDomains
Any questions or problems? - Tweet me @MaxWagnerDev.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.