Skip to content

3.1.0

Compare
Choose a tag to compare
@github-actions github-actions released this 25 Jan 09:51
· 34 commits to master since this release

This release adds support for HTTP Strict Transport Security (HSTS).

The HSTS header ensures that websites or services are not accessed via HTTP when HTTPS (the more secure protocol) is available.

This is most relevant for URLs that users might type into their browser — if they start with http:// by mistake, there is a risk that a prepared attacker impersonates the site and steals user data. Because users don’t typically access Collector endpoints directly, there is no significant attack vector. However, it’s a good security practice to use HSTS, and it helps pass automated security checks on the infrastructure.

If your Collector is behind a reverse proxy like Nginx, then you would have already been able to configure the HSTS header there. But if you are using something like an AWS or GCP load balancer, it can be convenient to send this header from the app itself, to be passed through by the load balancer.

The configuration looks like this:

hsts {
  enable = true
  maxAge = 365 days
}

This setting is off by default. Otherwise it could be problematic for users not exposing HTTPS endpoints.

You can find the relevant configuration properties in the docs for Collector.

Changelog

  • Add an option to send HSTS header (#409)