This is for internal use by the PaaS team. Public-facing documentation is located at docs.cloud.service.gov.uk.

ADR014: HSTS preload using api gateway

Context

We will only serve HTTPS traffic, keeping TCP port 80 (HTTP) closed and use HSTS preload lists.

To add our domains to HSTS preload lists, there are these requirements:

1. Serve a valid certificate.
2. Redirect from HTTP to HTTPS on the same host.
3. Serve all subdomains over HTTPS (actually checks for www.domain.com)
4. Serve an HSTS header on the base domain for HTTPS requests:

We need an endpoint to provide these requirements.

Our Cloud Foundry app endpoint already serves the right HSTS Security header with HAProxy and could be configured to serve the additional preload and includeSubDomains flags, but we cannot use it because we keep port 80 (HTTP) closed for this endpoint. We can implement a second ELB to listening on HTTP and HTTPS and use HAProxy to do the HTTP to HTTPS redirect and serve the right header. But this increases our dependency on the HAProxy service.

We must serve from the root domain (or apex domain), but it is not allowed to serve CNAME records in the root/apex domain. We must configure A records in this domain. This can be an issue when serving the service using ELB or CloudFront.

Decision

• We will implement a basic AWS API Gateway with a default MOCK response that returns the right HTTP header Strict-Transport-Security. The actual content of the response is irrelevant, it can be a 302. A Custom Domain Name, which creates a AWS Cloud Front distribution, will provide public access to this API.

• We will use AWS Route 53 ALIAS resource record to serve the IPs of the AWS Cloud Front distribution as A records.

Status

Accepted

Consequences

To setup AWS API Gateway Domain Names, it is required access to the SSL certificates. There is the option of uploading the certificates in a different step and create the AWS Cloud Front distribution manually.