We enforce HTTPS and redirect HTTP to HTTPS.
We use HTTP status code 302 because we do not want to lock external domains into HTTPS forever; if we used 301, it would be much harder for our users to use the domain with another hosting provider with HTTP.
We use lua-resty-auto-ssl to issue Let’s Encrypt certificates for every external domain that is connected to a Uberspace. This happens automagically when a domain is requested by a client for the first time. For privacy reasons every domain gets its own certificate. We also handle the renewal, certificates will be renewed if they expire in less than 30 days.
For security reasons we set some HTTP headers in our frontend:
Referrer-Policy: strict-origin-when-cross-origin: Prevents the browser from leaking GET parameters to linked sites via HTTPS or leaking the domain over unencrypted HTTP altogether.
Strict-Transport-Security: max-age=172800: Enforce that the site may only be loaded via HTTPS for the next two days.
X-Xss-Protection: 1; mode=block: Tell the browser to protect against cross-site scripting.
X-Frame-Options: SAMEORIGIN: Prevents the site from being used as a frame from another domain, i.e. to block other sites from calling actions on your site (i.e. deleting a profile).