Secure your website by setting the Strict-Transport-Security HTTP header, or HSTS. This header will inform the browser that it should never load your website using the HTTP protocol, instead, the browser should convert all requests to HTTPS. You can easily configure Istio to set this header on each request.
Explanation
If your website accepts connections via HTTP protocol and redirects the user to HTTPS, visitors could get a non-encrypted version of your site before redirecting. This can be the case if the user for example calls http://www.yoursite.com instead of https://www.yoursite.com This creates an opportunity for a man-in-the-middle attack. Visitors could be redirected to some kind of evil website and not to the HTTPS version of your site.
Prerequisites
Set Strict-Transport-Security (HSTS) header in Istio Virtual-Service
kind: VirtualService
apiVersion: networking.istio.io/v1beta1
metadata:
name: my-virtual-service
namespace: default
spec:
hosts:
- yoursite.com
gateways:
- istio-system/my-gateway
http:
- name: default-route
route:
- destination:
host: my-service
port:
number: 80
headers:
response:
set:
Strict-Transport-Security: max-age=31536000; includeSubDomains
You can test your configuration here https://hstspreload.org/ or your complete SSL setup including HSTS at https://www.ssllabs.com/ssltest/. If your test was successful you could also add the "preload" feature. This will add your website to the major browser's HSTS preload lists. Before doing so I recommend readingthis paragraphon why you should maybe not activate this feature.
Helpful Links
Leave a comment or contact me via DM when you have a problem or a question.