Closed Bug 1299807 Opened 8 years ago Closed 8 years ago

Add HSTS header to responses from https://mozilla.org

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pmac, Assigned: ericz)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3370]) 

https://mozilla.org is a redirect to https://www.mozilla.org. For proper implementation of HSTS we need that 301 response to contain the following header:

Strict-Transport-Security: max-age=300

We'll start with a short max-age (5 min. above), then once we're confident that this hasn't negatively impacted traffic we can move it to a day (86400), and then the max (a year, 31536000). This is what we did for www.mozilla.org and it worked well and is far less risky than going with the full year to start.
I talked to :ulfr, and he (like myself) can't think of any problems we might have doing this on mozilla.com either.  So let's set that header for https://mozilla.org/ and https://mozilla.com/, starting at 300.

Thanks!
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3370]
Blocks: 1299816
Assignee: server-ops-webops → eziegenhorn
https://mozilla.com now redirects to https://www.mozilla.com with the HSTS header set to 300.

https://mozilla.org is a little more complicated and I will hold off until next week when I can get more review.
I see the HSTS header, but I also see an extra slash in the location now:

$ curl -I https://mozilla.com
HTTP/1.1 302 Moved Temporarily
X-Backend-Server: TS
Content-Type: text/plain
Strict-Transport-Security: max-age=300
Date: Fri, 16 Sep 2016 20:27:32 GMT
Location: https://www.mozilla.com//
Connection: Keep-Alive
Content-Length: 0
That extra slash existed before this work, and is an unrelated concern. You're welcome to file a separate bug about it if it's essential that we repair it, but it has no material impact on the Observatory score.
https://mozilla.org now redirects to https://www.mozilla.org with HSTS headers set.  This was done with TrafficScript in the "https-redirect (VS:www.mozilla.org) 2016-10-04" rule.
Nice work, :ericz!  Are we planning on increasing the max-age slowly with the same time table as we did for www.mozilla.org?

Thanks!
Yes April, in a few days pmac and I will bump it up a bit.
I think we're ready to bump it up to the next level (86400) whenever you are. Thanks again :ericz!
HSTS value bumped up to 86400.
See Also: → 1299816
I think we're ready to bump to the final value (31536000). All seems well so far. Thanks again Eric.
::high fives all around::
HSTS value bumped to 31536000. \o/
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.