Enhancement of HTTP Strict-Transport-Security (HSTS) Settings

Issue:

When scanning with securityheaders.com, the following warning is generated:

Strict-Transport-Security: The "max-age" directive is too small. The minimum recommended value is 2592000 (30 days).

Currently, CloudStick has this configured as:

Strict-Transport-Security: max-age=604800; includeSubDomains

Suggested Fixes:

Increase the max-age value:

To align with best practices and avoid warnings, increase the max-age directive from 604800 (7 days) to a minimum of 2592000 (30 days). This change will enhance the security posture by ensuring that browsers remember to enforce HTTPS for a longer duration.

Consider removing the includeSubDomains directive by default:

While the includeSubDomains directive is valuable for comprehensive security, it may cause unintended issues if a user hosts services on subdomains or TLDs that are not intended to be secured by HSTS. Removing this directive by default would provide greater flexibility and reduce potential conflicts, with the option for users to enable it if needed.

Benefit:

• Enhances overall security compliance.
• Reduces potential configuration conflicts for users.
• Improves the security rating on tools like securityheaders.com.