Closed
Bug 1299807
Opened 8 years ago
Closed 8 years ago
Add HSTS header to responses from https://mozilla.org
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pmac, Assigned: ericz)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3370])
https://mozilla.org is a redirect to https://www.mozilla.org. For proper implementation of HSTS we need that 301 response to contain the following header: Strict-Transport-Security: max-age=300 We'll start with a short max-age (5 min. above), then once we're confident that this hasn't negatively impacted traffic we can move it to a day (86400), and then the max (a year, 31536000). This is what we did for www.mozilla.org and it worked well and is far less risky than going with the full year to start.
Comment 1•8 years ago
|
||
I talked to :ulfr, and he (like myself) can't think of any problems we might have doing this on mozilla.com either. So let's set that header for https://mozilla.org/ and https://mozilla.com/, starting at 300. Thanks!
Assignee | ||
Comment 2•8 years ago
|
||
https://mozilla.com now redirects to https://www.mozilla.com with the HSTS header set to 300. https://mozilla.org is a little more complicated and I will hold off until next week when I can get more review.
Comment 3•8 years ago
|
||
I see the HSTS header, but I also see an extra slash in the location now: $ curl -I https://mozilla.com HTTP/1.1 302 Moved Temporarily X-Backend-Server: TS Content-Type: text/plain Strict-Transport-Security: max-age=300 Date: Fri, 16 Sep 2016 20:27:32 GMT Location: https://www.mozilla.com// Connection: Keep-Alive Content-Length: 0
That extra slash existed before this work, and is an unrelated concern. You're welcome to file a separate bug about it if it's essential that we repair it, but it has no material impact on the Observatory score.
Assignee | ||
Comment 5•8 years ago
|
||
https://mozilla.org now redirects to https://www.mozilla.org with HSTS headers set. This was done with TrafficScript in the "https-redirect (VS:www.mozilla.org) 2016-10-04" rule.
Comment 6•8 years ago
|
||
Nice work, :ericz! Are we planning on increasing the max-age slowly with the same time table as we did for www.mozilla.org? Thanks!
Assignee | ||
Comment 7•8 years ago
|
||
Yes April, in a few days pmac and I will bump it up a bit.
Reporter | ||
Comment 8•8 years ago
|
||
I think we're ready to bump it up to the next level (86400) whenever you are. Thanks again :ericz!
Reporter | ||
Comment 10•8 years ago
|
||
I think we're ready to bump to the final value (31536000). All seems well so far. Thanks again Eric.
Comment 11•8 years ago
|
||
::high fives all around::
Assignee | ||
Comment 12•8 years ago
|
||
HSTS value bumped to 31536000. \o/
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•