HSTS implementation

Hi!

Is there a way we can convert HTTP API calls to HTTPS?

I tried searching about HSTS but almost no inputs on how to implement it in APIGEE.

Thanks!!

0 4 2,660
4 REPLIES 4

1. How to implement HSTS.

In this regard, Apigee Edge is not different than any other endpoint. Implement HSTS in the same way in Apigee Edge, that you would anywhere else: include a header like

Strict-Transport-Security: max-age=31536000

...or something like that, with every response that the proxy sends back over a secure vhost. Do this with an AssignMessage policy. Set the max-age to whatever you think is appropriate.

2. you also asked about "converting HTTP API calls to HTTPS"

I don't know exactly what you mean by "convert". I think, because you're asking about HSTS, that by "convert" you mean "communicate to a client that tries using HTTP that it needs to use HTTPS". In that case, just have a single API Proxy that listens on an insecure vhost (in other words, the vhost named "default"), and always and only responds with a 301 status, with a Location header pointing to the https endpoint. Again, this is not any different than what you would do if you were using any other system.


If there is something else you are not clear on, please elaborate and we'll try to give you more information.

Hey Dino, I tried this approach, it didn't work.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1">
    <DisplayName>Assign Message-1</DisplayName>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>
        </Headers>
        <QueryParams/>
        <FormParams/>
    </Add>
    <AssignVariable>
        <Name>name</Name>
        <Value/>
        <Ref/>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="true" transport="http" type="request"/>
</AssignMessage>

Can you update the "true" to "false" and try it out.

<AssignTo createNew="true" transport="http" type="request"/> 

to

<AssignTo createNew="false" transport="http" type="request"/>

It's working for us with the above change, the idea is it should not create a new response , it should pass the same response back.

Yes, that will work. Using createNew="true" will tell the policy to create a new message. But because you don't specify the name of a message in AssignTo, the policy tries to create a new message called "message", which.... already exists! So that will fail at runtime.

Removing the createNew="true" will allow it to succeed. In that case it just uses the existing message, by default named "message".

Just FYI, the configuration within AssignMessage that uses createNew="false", like this:

<AssignTo createNew="false" transport="http" type="request"/>

...does nothing. You can (probably should) completely omit it.

In fact, I think I will create a new plugin to apigeelint that will flag such usage.