JupyterHub and HSTS

Hello,
We have recently installed JupyterHub to support a team of data scientists. It is my very limited understanding that our install is fairly vanilla. We generally followed “The Hard Way” install document (link below), stopping at the Conda step (no reverse proxy). This is on a RHEL7 internal server (no Internet access).

Internal penetration tests have found that HSTS is missing on the server (port 8000). I have beat my head against this for a while, but can’t seem to figure it out.

I could use some help.

Hi! Unfortunately that guide is a bit out of date, so bear in mind some parts may be inaccurate.

HSTS can help improve the security of your JupyterHub installation if you’ve already setup a SSL/HTTPS certificate to protect all web connections. This is most easily done with a reverse proxy such as Nginx- once you’ve added a certificate you can add a HSTS header.

1 Like

Thanks manics. With other scan findings like TLS 1.0 I was able to add a line like this to jupyterhub_config.py to remediate: c.ConfigurableHTTPProxy.command = [‘configurable-http-proxy’, ‘–ssl-protocol’, ‘TLSv1_2’].

It looks like there is a ‘–customheader’ option as well, so I tried something like this in jupyterhub_config.py: c.ConfigurableHTTPProxy.command = [‘configurable-http-proxy’, ‘–custom-header’, ‘Strict-Transport-Security max-age=31536000; includeSubDomains; preload’]. I’ve tried several variations, thinking that I may just have syntax wrong, but I also may just be way off base as well.

We have Apache installed on this server, but it is kept down (long story). I did stumble my way through the instructions for using Apache as a reverse proxy, but I kept getting errors stating something like “proxy server error on GET /hub/login”. Web servers are not my strong suit.

I’ll need to return to Nginx/Apache if reverse proxy is the only way.

Thanks again!

1 Like