Closed Bug 1061137 Opened 11 years ago Closed 11 years ago

https://accounts.firefox.com no longer sending HSTS header

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: reed, Unassigned)

References

(
URL
)

Details

https://accounts.firefox.com no longer sends an HSTS header (Strict-Transport-Security) $ curl -I https://accounts.firefox.com HTTP/1.1 200 OK Content-length: 1985 Content-Type: text/html; charset=utf-8 Date: Mon, 01 Sep 2014 09:43:12 GMT ETag: W/"7c1-1995208239" Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Connection: keep-alive This broke sometime within the last week, as per https://hg.mozilla.org/mozilla-central/rev/984eb24bd94f. This means Firefox is no longer including accounts.firefox.com in the HSTS preload list.
Thanks! In our last release, we updated the module we use to set this, and I think that may have broken it. We're investigating: https://github.com/mozilla/fxa-content-server/issues/1614
This was fixed in https://github.com/mozilla/fxa-content-server/pull/1615 ➜ curl -I https://accounts.firefox.com HTTP/1.1 200 OK Content-Length: 1979 Content-Type: text/html; charset=utf-8 Date: Mon, 16 Mar 2015 14:54:15 GMT ETag: W/"7bb-2083316438" Strict-Transport-Security: max-age=15552000; includeSubdomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Connection: keep-alive
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.