Closed
Bug 1351514
Opened 7 years ago
Closed 7 years ago
Add mozillians.org to the HSTS preload list
Categories
(Participation Infrastructure :: Phonebook, defect)
Participation Infrastructure
Phonebook
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: emorley, Assigned: nemo-yiannis)
References
Details
Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves. Rough steps: 1) Identify mozillians.org subdomains that don't yet support HTTPS and file dependant bugs to fix them. 2) Ensure the apex/root domain (https://mozillians.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/ 3) Submit the domain using that same tool In the case of Mozillians I'm presuming subdomains aren't an issue since the apex domain already sets `includeSubdomains`, and so all is left is adding the `preload` directive to satisfy #2. $ curl -IL mozillians.org HTTP/1.1 301 Moved Permanently Content-Type: text/html Date: Wed, 29 Mar 2017 01:10:36 GMT Location: https://mozillians.org/ Connection: Keep-Alive Content-Length: 0 HTTP/1.1 301 MOVED PERMANENTLY Server: Apache X-Backend-Server: python3.webapp.phx1.mozilla.com Vary: Accept-Language,X-Mobile,User-Agent, Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Security-Policy: <SNIP> Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Wed, 29 Mar 2017 01:10:37 GMT Location: https://mozillians.org/en-US/ x-xss-protection: 1; mode=block Transfer-Encoding: chunked x-content-type-options: nosniff Connection: Keep-Alive X-Frame-Options: DENY X-Cache-Info: caching
Assignee | ||
Comment 1•7 years ago
|
||
(cc'ing :ericz) We are not handling HSTS headers in our codebase. I think that its implemented in the loadbalancer level. Regarding other domains, we are only using mozillians.org so I don't think we define any subdomains in our zone. :ericz Can you help us with this? Should I move this bug to another component?
Flags: needinfo?(eziegenhorn)
Reporter | ||
Comment 2•7 years ago
|
||
I can't see the HSTS header being set anywhere in the IT puppet repo (eg the mozillians Apache config), so guessing it must be added by ZLB?
Comment 3•7 years ago
|
||
It's not set in Apache or Zeus as far as I can see, and I do see it when I hit the webhead directly so I believe it is coming from your app, can you check again please? [eziegenhorn@python1.webapp.phx1 ~]$ curl -sIH'Host: mozillians.org' localhost:81/en-US/ | grep -i strict Strict-Transport-Security: max-age=31536000; includeSubDomains [eziegenhorn@python1.webapp.phx1 ~]$ grep -i strict /etc/httpd/mozilla/domains/mozillians.org.conf [eziegenhorn@python1.webapp.phx1 ~]$
Flags: needinfo?(eziegenhorn)
Assignee | ||
Comment 4•7 years ago
|
||
You are right, I was grepping the wrong middleware. Apparently we are handling this:
> $ grep -R "StrictTransportMiddleware" mozillians
> mozillians/settings/base.py: 'commonware.response.middleware.StrictTransportMiddleware'
Reporter | ||
Comment 5•7 years ago
|
||
That comes from: https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L42-L58 ...which doesn't support the `preload` directive. Django actually now supports most of the things that package provides (and that package isn't maintained), so I'd recommend switching away from it in the future. I added support for the `preload` directive to Django 1.11 (soon to be released), but that doesn't help here. Short term I'd suggest just adding a custom middleware to the repo cribbed from the Django 1.11 version: https://github.com/django/django/blob/stable/1.11.x/django/middleware/security.py#L31-L38
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jgiannelos
Comment 6•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/mozillians https://github.com/mozilla/mozillians/commit/8d32ef8ec2b97e5b26dd6631f81a2da23471e70b [Fix bug 1351514] Add custom middleware to allow HSTS preloading.
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•7 years ago
|
||
Many thanks! Looks good on dev: $ curl -IsSf https://mozillians-dev.allizom.org/ | grep -i strict strict-transport-security: max-age=31536000; includeSubDomains; preload Reopening bug since once on prod the site will need submitting using the form here: https://hstspreload.org/?domain=mozillians.org
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 8•7 years ago
|
||
Sounds good. I will make sure to submit the form when it reaches prod and close that bug.
Assignee | ||
Comment 9•7 years ago
|
||
Closing this bug after submitting the form.
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•