0

I have a rather simple spring boot application run on the GCP app engine.

I enabled spring security to get the default security response headers on the API's endpoint.

Now I have all of the default headers except the HSTS when I deploy the app into the app-engine.

I created a self-signed cert to test the app locally and it returned the HSTS headers, no problem there. but when I deploy the app into the app-engine of all the headers HSTS is missing.

Here is app.yaml: (*in which I redirect all HTTP requests into HTTPS and also tried the HTTP to HTTPS redirection in app-level via configuration but not different *)

runtime: java11
instance_class: F4

handlers:
  - url: /.*
    script: auto
    secure: always
    redirect_http_response_code: 301

Here is the WebSecurityConfig file: (And I know that there is no need to explicitly configure HSTS in here to get the default but with or without it does not work)

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().httpStrictTransportSecurity()
                .maxAgeInSeconds(31536000)
                .includeSubDomains(true);
    }
}

Here is the main:

@RestController
@SpringBootApplication
public class XXXApplication {

    public static void main(String[] args) {
        SpringApplication.run(XXXApplication.class, args);
    }

    @GetMapping("/")
    public ModelAndView suspended(@RequestParam(required = false, defaultValue = "This") String name) {
        /// some stuff ...
    }

}

I know that the only way to set HSTS header via app-engine and in the app.yaml is when you want to serve static content which is not my case.

Can someone please help me with this? I am not sure what I missed and why HSTS is the only header that I am not getting in response after deploying into the app-engine?

Kian Aghaei
  • 13
  • 2
  • Do you use `http` or `https` endpoint to test presence of the HSTS header in the cloud? It won't be set for HTTP. – Max Ivanov Feb 26 '21 at 16:23
  • @MaxIvanov I use HTTPS, and as I mentioned the app.yaml config turns any request into HTTPS by default. – Kian Aghaei Feb 26 '21 at 20:02
  • I see. It was my guess that one could test with something like `curl -XGET -s -D - www.airbnb.com -o /dev/null` and not see the HSTS header in the response. But that's not your case. Sorry I know nothing about GCP to be helpful further. Good luck! – Max Ivanov Feb 26 '21 at 20:59
  • GAE lets you set HSTS headers (I do it with GAE Python) so you must have an error in how you are setting them. I don't know Java so can't give more detailed feedback. – new name Feb 27 '21 at 15:46
  • @gaefan You are correct, but as far as I understood we can only set the HSTS header in the app.yaml for static contents we serve via app-engine. I am not aiming for that (serving static content) So I don't know what to do. – Kian Aghaei Feb 27 '21 at 15:50
  • @KianAghaei, No, you can set the headers in your code for non-static files as well. I do this in Python. – new name Feb 27 '21 at 19:45
  • @gaefan, right and that is what I did (setting the header via the spring security), what I said was you cannot set the header for none-static content via the app.yaml config file. So I have to necessary handle it in the app itself. but as I mentioned I get all the headers except HSTS in response to the HTTPS request after I deploy the code into app engine. – Kian Aghaei Feb 27 '21 at 20:32

0 Answers0