[nginx] HSTS feature always adds 'preload', creates risk of domain sabotage

[whereisaaron]

If the HSTS feature is enabled, the current template always adds preload to the Strict-Transport-Security header. There is no way to disable it.

https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L224

"Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload";

Having preload there enables someone to maliciously submit your domain for browser pre-loading and prevent HTTP working for your domain for all time.

You can mitigate this risk by setting a short 'max-age' or by not including the subdomain option, since both are required for preload listing. But if anyone ever got caught, it would take them many months and a lot of effort to get it fixed.

The preload option is a special flag only needed for a short time while you are registering a domain for preload. After that you can remove it, since you are now preloaded forever. I don't think this should be the default, and if it is needed, it should be separate option to add it.

Is that reasonable? Can we just remove preload? Or do people need it.

(I think HSTS should ideally be per Ingress, since one size doesn't fit all, for all the domains that might go to a particular Ingress controller. But that is a bigger change, to add annotation support for that.)

[whereisaaron]

Many thanks @aledbf, that looks perfect 🙌 🎉