Table of contents

This is for internal use by the PaaS team. Public-facing documentation is located at docs.cloud.service.gov.uk.

ADR443: SSL-only for applications and cf endpoints

Context

Note: This has been superceeded. See Status below.

It is expected for the government websites to be secure and keep the user interactions private. Because that we want to enforce all communications to any application and to the platform endpoints to use only and always HTTPS, as it is described in the Gov Service Manual.

When a user inputs a website name without specifying the protocol in the URL, most browsers will try first the HTTP protocol by default. Even if the server always redirect HTTP to HTTPS, an initial unprotected request including user information will be transferred in clear: full URL with domain, parameter, cookies without secure flag or browser meta-information.

HTTP Strict Transport Security mitigates this issue by instructing modern browsers that support it to always connect using HTTPS. This is also a requirement in the service manual.

There is still a potential initial unprotected HTTP request that might happen before retrieve the HSTS headers or after the specified HSTS max-age. To solve this issue, the root domain can be added to HSTS preload list which will be used by most common browsers.

Currently the only way to avoid any clear text HTTP interaction is closing or dropping any attempt to connect to the port 80 at TCP level.

Although not all application deployed on the PaaS will be “services” as in the service manual meaning, we must not allow HTTP to make it easier to service owners to comply with this requirements.

Decision

We will only open port 443 (HTTPS) and drop/reject any TCP connection to TCP port 80 (HTTP).

We will implement and maintain HSTS preload lists for our production domains.

Status

Superceeded by ADR444

Consequences

We must configure and maintain our domain in the HSTS preload lists.

Users of browsers which do not support HSTS, or HSTS preload lists, will not be able to connect to the sites without specify the protocol https:// in the URL. This only happens when the user manually inputs the URL in the browser.