Skip to content

fix(security): increase HSTS max-age to 1 year#4590

Open
vfanucci wants to merge 1 commit intomainfrom
fix/hsts-max-age
Open

fix(security): increase HSTS max-age to 1 year#4590
vfanucci wants to merge 1 commit intomainfrom
fix/hsts-max-age

Conversation

@vfanucci
Copy link
Copy Markdown
Contributor

Summary

Increases Strict-Transport-Security max-age from 15552000 (~180 days) to 31536000 (365 days).

Why

  • HSTS preload eligibility — browsers (Chrome, Firefox, Safari) maintain a preload list of sites that must always be loaded over HTTPS. The minimum requirement is max-age >= 31536000. At 15552000 we don't qualify.
  • No downside — kestra.io is HTTPS-only behind Cloudflare with no reason to ever serve HTTP. The only risk of a longer max-age is being locked into HTTPS for longer, which is a non-issue.

Change

src/middlewares/worker.ts line 62:

- response.headers.set("strict-transport-security", "max-age=15552000")
+ response.headers.set("strict-transport-security", "max-age=31536000")

Verification

  • Deploy preview → curl -sI https://<preview-url> | grep strict-transport-securitymax-age=31536000

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

☁️ Cloudflare Worker Preview Deployed!

🔗 https://ks-fix-hsts-max-age-docs.kestra-io.workers.dev
🔗 https://d41681e3-docs.kestra-io.workers.dev

## 🔦 Lighthouse Benchmark

Tested: https://ks-fix-hsts-max-age-docs.kestra-io.workers.dev on 2026-04-14 10:35 UTC
Compared against main baseline from 2026-04-10

Scores (0–100, higher is better)

Page Performance Accessibility Best Practices SEO
Home 63 79 59 92
Pricing 98 88 59 100
Enterprise 89 78 59 100
Cloud 89 83 59 100
About Us 98 87 59 100
Docs Landing 82 84 59 92
Contribute to Kestra (simple docs) 97 84 59 92
Flow (full featured docs) 92 86 59 92
Blog Index 65 🔻 -16 86 59 100
Blog Post (sample) 93 83 59 100
VS Page (sample) 97 88 59 100
Plugins Landing 94 77 59 92
Plugin Page (sample) 96 87 59 100
Plugin Debug Page (sample) 95 87 59 100
Plugin Debug Return Page (sample) 96 87 59 100
Blueprints Landing 92 77 56 92
Blueprint Audit Logs CSV Export 63 82 59 100

Core Web Vitals (lower is better)

Page LCP FCP TBT CLS Speed Index
Home 1.41 s 🟢 0.96 s 🟢 534 ms 🔻 0.000 4.42 s 🟢
Pricing 1.07 s 0.58 s 52 ms 0.000 0.82 s
Enterprise 2.07 s 0.91 s 49 ms 🔻 0.000 1.05 s 🟢
Cloud 2.08 s 0.50 s 89 ms 🔻 0.000 0.87 s
About Us 1.00 s 0.56 s 52 ms 0.000 0.81 s
Docs Landing 2.83 s 🔻 0.67 s 🟢 121 ms 0.000 0.94 s
Contribute to Kestra (simple docs) 0.94 s 0.57 s 124 ms 🔻 0.003 0.74 s
Flow (full featured docs) 1.25 s 0.66 s 🟢 180 ms 0.000 1.10 s
Blog Index 7.52 s 🔻 0.51 s 🟢 48 ms 0.001 20.37 s 🔻
Blog Post (sample) 1.80 s 🔻 0.49 s 48 ms 0.000 0.60 s 🟢
VS Page (sample) 1.20 s 0.54 s 62 ms 0.000 0.92 s
Plugins Landing 0.99 s 🟢 0.48 s 104 ms 🔻 0.000 2.04 s 🔻
Plugin Page (sample) 0.87 s 0.51 s 49 ms 🔻 0.051 1.78 s
Plugin Debug Page (sample) 0.89 s 0.53 s 86 ms 0.001 1.86 s 🔻
Plugin Debug Return Page (sample) 0.96 s 🟢 0.53 s 90 ms 0.025 1.55 s
Blueprints Landing 1.42 s 0.79 s 8 ms 🟢 0.000 1.97 s 🔻
Blueprint Audit Logs CSV Export 0.97 s 🟢 0.58 s 268 ms 🔻 0.485 2.14 s
Legend

🟢 improved  ·  🔻 regressed  ·  (blank) no significant change
Score threshold: ±10 pts  ·  Metric threshold: ±30% of baseline

@vfanucci
Copy link
Copy Markdown
Contributor Author

Very low priority on this one

@vfanucci vfanucci marked this pull request as ready for review April 14, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant