HSTS with Traefik

• Web   • Networking   • How-To   • Security

The settings to get an A+ rating on SSL Labs!

I didn’t find any simple guide out there to do this so I thought I’d write it myself.

Traefik HSTS Configuration

The Traefik documentation talks about HSTS headers in only one place and it doesn’t even provide an example for it. All Traefik security headers, including HSTS, can be found can be found at a separate GitHub repo: unrolled/secure.

Add the following Docker labels to your container or your traefik.toml file’s frontend:

1
2
3
traefik.frontend.headers.STSSeconds: "31536000"
traefik.frontend.headers.STSIncludeSubdomains: "true"
traefik.frontend.headers.STSPreload: "true"

While you’re there, only accept the latest ciphers. This can be configured on the HTTPS entrypoint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      ]

What is HSTS?

HTTP Strict Transport Security (HSTS) tells browsers that your site should ONLY be accessed with HTTPS instead of HTTP. After the initial connection over HTTPS, your browser will never load the site using HTTP and will attempt to convert all connections using HTTP to HTTPS instead.

Websites

Some other websites to check your HTTPS configuration as well as other web features: