Istio: Configure Strict-Transport-Security (HSTS)

Secure your website by setting the Strict-Transport-Security HTTP header, which is also known as HSTS. This header will inform the browser that it should never load your website using the HTTP protocol, instead the browser should convert all requests to HTTPS. You can easily configure Istio to set this header on each request.

If your website accepts connections via HTTP protocol and redirects the user to HTTPS, visitors could get a non-encrypted version of your site before redirecting. This can be the case if the user for example calls http://www.yoursite.com instead of https://www.yoursite.com This creates an opportunity for a man-in-the-middle attack. Visitors could be redirected to some kind of evil website and not to the HTTPS version of your site.

• Create and configure Istio gateway with your domain
• Configure HTTPS (SSL)

                        
kind: VirtualService
apiVersion: networking.istio.io/v1beta1
metadata:
  name: my-virtual-service
  namespace: default
spec:
  hosts:
   - yoursite.com
  gateways:
    - istio-system/my-gateway
  http:
    - name: default-route
      route:
        - destination:
            host: my-service
            port:
              number: 80
          headers:
            response:
              set:
                Strict-Transport-Security: max-age=31536000; includeSubDomains
                        
                    

You can test your configuration here https://hstspreload.org/ or your complete SSL setup including HSTS with https://www.ssllabs.com/ssltest/. If your test was successful you could also add the "preload" feature. This will add your website to the major browsers HSTS preload lists. Before doing so I recommend reading this paragraph why you should maybe not activate this feature.

• MDN web docs: HTTP Strict-Transport-Security
• Istio Docs
• Cert-Manager for kubernetes

Any questions or problems? - Tweet me @MaxWagnerDev.