HSTS configuration of GitHub Enterprise server

[niharrs29]

Select Topic Area

Question

GitHub Feature Area

Enterprise

Body

Hello All,

I am seeking guidance on configuring HTTP Strict Transport Security (HSTS) for our on-premises GitHub Enterprise server. We are aiming to improve the security posture by ensuring that all communications are forced over HTTPS, and I understand that HSTS can help in achieving this.

Has anyone successfully configured HSTS on their GitHub Enterprise instance? If so, could you please provide any steps, best practices, or potential pitfalls that I should be aware of during the setup? Additionally, I would appreciate it if someone could clarify whether there are any GitHub-specific configurations or limitations that I should take into account.

Looking forward to your suggestions!

Thank you in advance for your help.

Best Regards,
Nihar Samantaray

[Sanidhyafeaturist]

To configure HSTS on your GitHub Enterprise server, first ensure your instance is accessible via HTTPS. Then, add the following line to your NGINX configuration within the HTTPS server block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;. After saving the changes, test your configuration to confirm that the HSTS header is correctly set. Be cautious about users or services that may still rely on HTTP, as they could be locked out after enabling HSTS.

[HemanthYadav70]

Thank you for the information.

However, our GitHub Enterprise was set up using an OVA file on a Linux machine. Upon double-checking, we confirmed that there is neither an HTTPD nor an NGINX server installed, so we were unable to configure the details provided.

Please note that this machine operates in a non-internet environment.

[niharrs29]

Thanks for your quick reply @Sanidhyafeaturist . As @HemanthYadav70 said, we have deployed GitHub Enterprise server from OVA file on our vCenter and also we have not configured NGINX. We have configured HTTPS by uploading the certificates on GitHub Enterprise Management Console. Could you please provide us any steps on how to include those HSTS parameters mentioned by you on GitHub Enterprise Management Console.

[Sanidhyafeaturist]

Access the GitHub Enterprise Management Console:

Open a web browser and navigate to your GitHub Enterprise Server Management Console by entering the appropriate URL (usually https://your-github-enterprise-server/).
Login:

Log in with your administrator credentials.
Go to the "Settings":

In the Management Console, navigate to the Settings section. This is typically found in the left-hand menu.
Locate the "Network" Section:

Within the Settings menu, look for the Network settings. This section may also be labeled as HTTP and HTTPS or similar.
Enable HTTPS:

Ensure that your instance is configured to use HTTPS. This is a prerequisite for enabling HSTS.
Add HSTS Configuration:

In the appropriate configuration area, look for a section related to custom headers or security headers.

Add the following line to enable HSTS:

"add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;"

Make sure to follow any specific formatting or syntax required by the GitHub Enterprise Server Management Console for custom headers.
Save Changes:

After adding the HSTS configuration, save your changes.

Be Cautious:

Before fully enabling HSTS, ensure that there are no users or services that still rely on HTTP. Enabling HSTS will lock out these users, forcing them to use HTTPS only.

By following these steps, you should be able to configure HSTS parameters on your GitHub Enterprise Server using the Management Console effectively.

[queenofcorgis]

Hey there! 👋

Thanks for posting in the GitHub Community, @niharrs29 ! We're happy you're here. You are more likely to get a useful response if you are posting your question in the applicable category. The Accessibility category is a place for our community to discuss and provide feedback on the digital accessibility of GitHub products. Digital accessibility means that GitHub tools, and technologies, are designed and developed so that people with disabilities can use them.

I've gone ahead and moved this to the correct category for you. Good luck!

[djdefi]

Per the Configuring TLS guide:

The GitHub Enterprise Server appliance will send HTTP Strict Transport Security headers when SSL is enabled. Disabling TLS will cause users to lose access to the appliance, because their browsers will not allow a protocol downgrade to HTTP. For more information, see HTTP Strict Transport Security (HSTS) on Wikipedia.

HSTS headers are already set by default on GitHub Enterprise Server, and modifying configuration files on the appliance is not supported or a good idea to attempt. Is there something further that you are looking for regarding HSTS on GitHub Enterprise Server?