ADR014: HSTS preload using api gateway
To add our domains to HSTS preload lists, there are these requirements:
- Serve a valid certificate.
- Redirect from HTTP to HTTPS on the same host.
- Serve all subdomains over HTTPS (actually checks for
- Serve an HSTS header on the base domain for HTTPS requests:
We need an endpoint to provide these requirements.
Our Cloud Foundry app endpoint already serves the
right HSTS Security header with HAProxy
and could be configured to serve the additional
but we cannot use it because we keep port 80 (HTTP) closed for this endpoint.
We can implement a second ELB to listening on HTTP and HTTPS and use
HAProxy to do the HTTP to HTTPS redirect and serve the right header.
But this increases our dependency on the HAProxy service.
We must serve from the root domain (or apex domain), but it is not allowed to serve CNAME records in the root/apex domain. We must configure A records in this domain. This can be an issue when serving the service using ELB or CloudFront.
We will implement a basic AWS API Gateway with a default MOCK response that returns the right HTTP header
Strict-Transport-Security. The actual content of the response is irrelevant, it can be a 302. A Custom Domain Name, which creates a AWS Cloud Front distribution, will provide public access to this API.
To setup AWS API Gateway Domain Names, it is required access to the SSL certificates. There is the option of uploading the certificates in a different step and create the AWS Cloud Front distribution manually.