Considerations with HSTS and storing website assets on Amazon S3

With SSL getting pretty cheap through some providers and many guides offering easy instructions to get going on setting up, be sure to approach with caution.

Aral Balkan has a pretty well written set of instructions on this website on how to setup SSL with the best practice configuration.

It’s all very good information available there.

There is one line that you should be very cautious about understanding properly:

# Add HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

HSTS is a very good idea and the browser support is really good. You should definitely implement it. What you need to be careful with is includeSubdomains.

It may be a good idea in the context of your website, but take this case scenario:

  1. You store the media assets for your website – eg. some eCommerce website called shithotwatches.com – on Amazon S3
  2. You’ve setup a CNAME alias on your domain to map to your S3 storage – e.g. media.shithotwatches.com
  3. All your images (or other assets) on shithotwatches.com uses media.shithotwatches.com urls

This will totally break the images on your website. Because the top authority (your website) says that all subdomains should be rewritten to SSL, the browser will automatically redirect all the embedded images url from http://media.shithotwatches.com to https://media.shithotwatches.com and S3 does not support SSL on custom domains.

Effectively, most browsers will then fail to render the assets because of mismatched certificates.

So you then have these options:

  1. Take out includeSubdomains

  2. Use the full S3 bucket name address as the S3 ssl certificate works for those addresses

  3. Use something like CloudFront to deliver the images (extra costs involved)

Leave a Reply

Your email address will not be published. Required fields are marked *