Pull request 181: 2998-hsts

Squashed commit of the following:

commit 33f2a2f08b43dfe700703ad65e3d7a5b29bea309
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:50:06 2023 +0300

    Encryption: imp hsts doc

commit 2d5f3155eb2d55a5654e3ba45872152175cedf76
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:38:42 2023 +0300

    Configuration: HSTS
Ainar Garipov 2023-08-30 18:57:47 +03:00
parent b3490ee566
commit b0627444f0
2 changed files with 14 additions and 9 deletions

@ -651,6 +651,9 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
Must match one of the DNS Names in the certificate.
- `force_https`: If `true`, force HTTP-to-HTTPS redirect.
**Since v0.107.37,** this setting also sets the
[`Strict-Transport-Security`][hsts] header.
- `port_https`: The HTTPS port. Used for both web UI and DNS-over-HTTPS. If
`0`, HTTPS is disabled.
- `port_dns_over_tls`: The DNS-over-TLS port. If `0`, DNS-over-TLS is
@ -718,13 +721,14 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
Removing an entry from settings file will reset it to the default value. Deleting the file will reset all settings to the default values.
[DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
[DHCP]: https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
[DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
[docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
[`dnscrypt`]: https://github.com/ameshkov/dnscrypt
[DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
[tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants
[docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
[rfc6147]: https://datatracker.ietf.org/doc/html/rfc6147
[tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants

@ -217,13 +217,14 @@ Other HTTP headers may be supported by AdGuard Home in the future. However, any
headers-related feature requests should first be tried to be resolved by
configuring the reverse proxy itself.
For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
something like the following piece of configuration might be used:
For example, to modify the [HTTP Strict Transport Security][hsts] mechanism to
include the experimental `preload` directive, something like the following piece
of configuration might be used:
```nginx
location /dns-query {
# …
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# …
}
```