Extension:HSTS

The HSTS extension implements the HTTP Strict Transport Security feature (RFC 6797) as an opt-in (or opt-out) for each user in order to be willingly always redirected to the HTTPS version of the website, if the user agent (client browser) understands the HSTS functionality. The server administrator is also given the possibility to force the anonymous and/or logged-in users to have a STS header and thus stay on HTTPS.

Apart if the server administrator forces the HSTS, this adds a preference for the user for the presence or not of the Strict-Transport-Security (STS) header. The time before expiration can be fixed by the server administrator either to a fixed number of seconds before expiration either to a fixed date for expiration (e.g. just before certificate expiration in order to free the users if the administrator forgets to renew the certificate), and the implied security can include or not the subdomains. Due to the nature of the HSTS specification, the "fixed number of seconds before expiration" is naturally implemented, but the "fixed date for expiration" is simulated in a way the header changes every second.

It should be noted this extension is useful only if the server administrator don’t want to force all the users to receive the STS header (in such case he should instead remove this extension and set up this header directly in the web server), for instance for a soft-activation of HSTS. It cannot be guaranteed the STS header will be in every page served by the wiki (in particular low-level error pages) but it will be on every reasonably-formed page, and this should not be interpreted as a mistake by the user agent (see 8.6 in RFC 6797).

Code
(For now, the code is only in this section, before being moved to git.)


 * HSTS.php


 * HSTS.i18n.php

Installation

 * 1) Create a directory   in your   directory.
 * 2) Copy the two files given on this page in this directory (check before in the history they were not maliciously modified).
 * 3) Add   to the bottom of LocalSettings.php.
 * 4) You can modified the configuration options by overwriting them in the next lines.
 * 5) Installation can now be verified through Special:Version of your wiki.

Usage
The (logged-in) users can modify their preferences in the Special:Preferences page, section "User profile/Basic information". It must be noted that, due to the nature of the HSTS specification, the user will absolutely have no access to the HTTP version of the wiki, even in case of problem due to TLS/HTTPS (either a client or server problem); so any misconfiguration can be fatal for the remaining time HSTS is active.

Configuration
HSTS has two configuration variables which can be modified in.

Note that in this second case the header is dynamical, so you may want to configure accordingly your cache servers for a consistent user experience, particularly given the authoritative HSTS header is the last sent, even if shorter.
 * : max-age parameter for HSTS; can be either:
 * a number: fixed number of seconds before expiration of HSTS; or
 * a date: when HSTS will expire (e.g. just before certificate expiration); MediaWiki must understand the date (see the manual).
 * : (boolean) whether to include the "includeSubDomains" keyword in the STS header.
 * : (boolean) whether to give the STS header to anonymous users.
 * : (boolean) whether to force the STS header for logged-in users; if true, the users do no more have their preference available since it became unuseful due to the server adminstrator’s decision.

Examples:
 * STS header fixed to 30 days before expiration:
 * The STS security will expire midday UTC on 18 August 2013:

If you are cautious about the effects of HSTS, you can try it in the early tests with small values as 1 minute or a near expiration date.

Testing
The version 0.2 has been tested by extension author Seb35 on a local test wiki (MW 1.22alpha + Apache 2.2.14 + Opera 12.16 + Dragonfly to check the headers) and all works as expected: the STS header is present if and only if (iff) we are on HTTPS and the wgHSTSForAnons/Users is true or (the preference is activated and wgHSTSForUsers is false); the includeSubDomains is present iff the parameter is activated; the fixed duration-before-expiration stays correctly; the decreasing duration-before-expiration for a fixed date decreases; and the STS header is no more present after expiration.

Bugs
The user preference must be saved under HTTPS: if unchecked, the user is sure the HTTPS is working for him/her; if checked, only the authenticated user must be able to uncheck the preference. Else an attacker with session tokens (obtained before the user is on HTTPS) could uncheck the preference and wait the remaining time of HSTS. This bug is present in versions 0.1 and 0.2.