Closed Bug 1143976 Opened 9 years ago Closed 8 years ago

Must use Strict-Transport-Security headers and get on Chromium HSTS preload list

Categories

(Cloud Services :: Operations: Miscellaneous, task)

Product:
Cloud Services
Component:
Operations: Miscellaneous
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jrgm, Assigned: bobm)

Details

$ curl -H 'connection: close' -s -X HEAD -D - https://hello.firefox.com/ 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6956
Content-Security-Policy: frame-ancestors 'self'
Content-Type: text/html
Date: Tue, 17 Mar 2015 02:05:39 GMT
ETag: "54ff3e83-1b2c"
Last-Modified: Tue, 10 Mar 2015 18:57:07 GMT
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Token-Match: 1
Connection: Close


That is missing a header like this (and probably should be exactly this max-age with includeSubdomains):

Strict-Transport-Security: max-age=15552000; includeSubdomains
Also, once that is in place, a request should be made to get find.firefox.com on the STS preload list maintained by chromium.org. (@see https://bugzilla.mozilla.org/show_bug.cgi?id=958313)

/cc :francois
Summary: Must use Strict-Transport-Security headers → Must use Strict-Transport-Security headers and get on Chromium HSTS preload list
BTW, I believe that the (new) way to request inclusion on the preload list is through https://hstspreload.appspot.com/
This is not related to the server code, but rather do the deployment of the web frontend, assigning to ops.
Component: Server → Operations
Product: Loop → Mozilla Services
Taking this bug.
Assignee: nobody → bobm
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.