0.12.0

This release adds the ability to send HSTS headers. Also the license has changed from Apache 2.0 to Snowplow Limited Use License.

The HSTS header ensures that websites or services are not accessed via HTTP when HTTPS (the more secure protocol) is available.

This is most relevant for URLs that users might type into their browser — if they start with http:// by mistake, there is a risk that a prepared attacker impersonates the site and steals user data. Because users don’t typically access Iglu Server endpoints directly, there is no significant attack vector. However, it’s a good security practice to use HSTS, and it helps pass automated security checks on the infrastructure.

If your Iglu Server is behind a reverse proxy like Nginx, then you would have already been able to configure the HSTS header there. But if you are using something like an AWS or GCP load balancer, it can be convenient to send this header from the app itself, to be passed through by the load balancer.

The configuration looks like this:

repoServer.hsts {
  enable = true
  maxAge = 365 days
}

This setting is off by default. Otherwise it could be problematic for users not exposing HTTPS endpoints.

You can find the relevant configuration properties in the docs for Iglu Server.

Finally, note that as per our earlier announcement, Iglu Server is now released under the Snowplow Limited Use License Agreement, and you will need to explicitly accept it if you upgrade from an earlier version. See here for how to do that.