`tunnelRoute` passes through Strict-Transport-Security header, enabling HSTS on users' domains

[markspolakovs]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/nextjs

SDK Version

7.64.0

Framework Version

Next.js 13.4.19

Link to Sentry event

No response

SDK Setup

On the server:

Sentry.init({
  dsn: process.env.NEXT_PUBLIC_SERVER_SENTRY_DSN,
  tracesSampleRate: 1,
  debug: false,
  release: process.env.NEXT_PUBLIC_SENTRY_RELEASE,
});

On the client:

Sentry.init({
  dsn: process.env.NEXT_PUBLIC_SERVER_SENTRY_DSN,
  tracesSampleRate: 1,
  debug: false,
  replaysOnErrorSampleRate: 1.0,
  replaysSessionSampleRate: 0.1,
  integrations: [
    new Sentry.Replay({
      maskAllText: true,
      blockAllMedia: true,
    }),
  ],
  release: process.env.NEXT_PUBLIC_SENTRY_RELEASE,
  tracePropagationTargets: [
    "http://localhost:3000",
    "https://bowser.dev.ystv.co.uk",
    "https://bowser.ystv.co.uk",
  ],
});

In next.config.js:

module.exports = withSentryConfig(
  nextConfig,
  {
    silent: true,
    org: "ystv",
    project: "bowser-server",
    authToken: process.env.SENTRY_AUTH_TOKEN,
    release: sentryRelease,
  },
  {
    widenClientFileUpload: true,
    transpileClientSDK: false,
    tunnelRoute: "/monitoring",
    hideSourceMaps: true,
    disableLogger: true,
    disableClientWebpackPlugin: process.env.IS_PRODUCTION_BUILD !== "true",
    disableServerWebpackPlugin: process.env.IS_PRODUCTION_BUILD !== "true",
  },
);

Steps to Reproduce

1. Set up the Next.js integration with tunnelRoute enabled
2. Deploy the application on a hosting provider that does not set Strict-Transport-Security
3. Visit a page in the application
4. Watch the browser DevTools Network tab for a request to /monitoring

Expected Result

No Strict-Transport-Security header is present on any response

Actual Result

The initial response from the backend does not have Strict-Transport-Security:

However, the response to the /monitoring request has the Strict-Transport-Security header from the Sentry SaaS backend:

Looking in chrome://net-internals#hsts you can indeed see that this has unintentionally enabled dynamic HSTS for the domain in question:

Any subsequent non-HTTPS requests to the domain will now fail.

[lforst]

Hi, as a workaround you can remove the tunnelRoute option for now (and set up your own proxy if necessary). This will require a bit of work on Sentry's infra/ops and has security considerations.

We are using Next.js rewrites for tunnelRoute and I don't think there is a way to rewrite the responses.