Closed
Bug 1143976
Opened 9 years ago
Closed 8 years ago
Must use Strict-Transport-Security headers and get on Chromium HSTS preload list
Categories
(Cloud Services :: Operations: Miscellaneous, task)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jrgm, Assigned: bobm)
Details
$ curl -H 'connection: close' -s -X HEAD -D - https://hello.firefox.com/ HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 6956 Content-Security-Policy: frame-ancestors 'self' Content-Type: text/html Date: Tue, 17 Mar 2015 02:05:39 GMT ETag: "54ff3e83-1b2c" Last-Modified: Tue, 10 Mar 2015 18:57:07 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Token-Match: 1 Connection: Close That is missing a header like this (and probably should be exactly this max-age with includeSubdomains): Strict-Transport-Security: max-age=15552000; includeSubdomains
Reporter | ||
Comment 1•9 years ago
|
||
Also, once that is in place, a request should be made to get find.firefox.com on the STS preload list maintained by chromium.org. (@see https://bugzilla.mozilla.org/show_bug.cgi?id=958313) /cc :francois
Summary: Must use Strict-Transport-Security headers → Must use Strict-Transport-Security headers and get on Chromium HSTS preload list
Comment 2•9 years ago
|
||
BTW, I believe that the (new) way to request inclusion on the preload list is through https://hstspreload.appspot.com/
Comment 3•9 years ago
|
||
This is not related to the server code, but rather do the deployment of the web frontend, assigning to ops.
Component: Server → Operations
Product: Loop → Mozilla Services
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•