Are there plans to, or how do I enforce HSTS on these devices? The option is in the ssl.conf but when actually tested by curl or via Nessus HSTS does not report as enabled. I specifically have the Comet GL-RM1 now running firmware 1.8.0 release 3.
You can not use HTTP to assess websites, only HTTPS is available, so we don’t need HSTS.
I’m not sure I understand your response… If a security requirement exists for HSTS on any device that’s on a customer’s network, “we don’t need HSTS” isn’t going to satisfy that requirement. It also sounds like you aren’t familiar with everything HSTS does, Forcing HTTP to HTTPS is only part of the standard.
HSTS on a local device is a bit ... weird. Especially when it's a device used for remote controlling. HSTS won't make this device more secure. By only being available on TCP/443 you don't need HSTS in that case. And it would require a valid cert
If you need HSTS, you might want to enable it. From my point of view as an IT expert, it's useless for most people and will only cause more and more issues than it solves. Out-of-Band-Management should be reachable at any time - HSTS would break this.
This is a useful discussion, but “need” is subjective. To be direct, I wasn’t asking whether I should use HSTS or whether others think it’s a good idea. My question is simply whether the device supports HSTS, and if it does, how to enable it.
So, no, HSTS is not easy to enable.
So, it turns out it actually is easy to enable, the header string is already in the conf files, just not in the place it really needs to be. I had already installed my trusted certs, so the string just needed to be added to the .conf that Nginx routes the devices UI traffic through. I won’t post the solution here since one of the GL.iNet Staff replied saying “we don’t need HSTS”, but my requirement is now met.