#[NaBox] Enable HSTS on nabox admin webserver and Grafana

Hi all,

At my company our security team is pushing to have all web services like nabox/grafana to have HSTS (Header Strict-Transport-Security) enabled. Now Ive been going through the nabox containers nabox_admin and grafana to see if HSTS is enabled. For both containers it is not.

My main question is the following and due to lack of my understanding about HSTS I hope someone can answer it.

1. Can I manually change the settings in the containers. Knowing it will need to be re-enabled after an upgrade as long as it is not by default enabled.
2. Is there a reason for me NOT the enable it?

Thanks in advance!
M.

Every http communications goes through traefik reverse proxy. There shouldn’t be anything else open to the outside but I’ll double check. It seems reasonable to enable HSTS on traefik. Does that make sense ?

That should be sufficient indeed. Is there a way to get to the admin page of treafik?

There is no admin page, that would be an update in the config file or the containers labels. More probably config files or cli arguments of the traefik container from docker-compose.yaml