Collector 3.1.0 and Iglu Server 0.12.0 with HSTS support

We are pleased to release Collector 3.1.0 and Iglu Server 0.12.0. The main new feature in both cases is the ability to configure the app to send the HSTS header.

The HSTS header ensures that websites or services are not accessed via HTTP when HTTPS (the more secure protocol) is available.

This is most relevant for URLs that users might type into their browser — if they start with http:// by mistake, there is a risk that a prepared attacker impersonates the site and steals user data. Because users don’t typically access Collector or Iglu Server endpoints directly, there is no significant attack vector. However, it’s a good security practice to use HSTS, and it helps pass automated security checks on the infrastructure.

If your Collector or Iglu Server is behind a reverse proxy like Nginx, then you would have already been able to configure the HSTS header there. But if you are using something like an AWS or GCP load balancer, it can be convenient to send this header from the app itself, to be passed through by the load balancer.

The configuration looks like this:

hsts {
  enable = true
  maxAge = 365 days

This setting is off by default. Otherwise it could be problematic for users not exposing HTTPS endpoints.

You can find the relevant configuration properties in the docs for Collector and Iglu Server.

Finally, note that as per our earlier announcement, Iglu Server is now released under the Snowplow Limited Use License Agreement, and you will need to explicitly accept it if you upgrade from an earlier version. See here for how to do that.