Closed Bug 1077394 Opened 10 years ago Closed 7 years ago

Put all code hosting sites behind TLS and HSTS

Categories

(Developer Services :: General, task)

Product:
Developer Services
Component:
General
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: annevk, Unassigned)

Details

We should not distribute code in the clear. That seems irresponsible at this point.

  http://gitmirror.mozilla.org/
  http://git.mozilla.org/
  http://mxr.mozilla.org/
  http://lxr.mozilla.org/

should all redirect to their HTTPS equivalent which should have a HSTS header.
Agreed.

We'll need to audit the plain old HTTP accesses for automated agents that may not follow redirects properly.
To add to the list in comment 0:
http://hg.mozilla.org/
Component: WebOps: Source Control → General
Product: Infrastructure & Operations → Developer Services
All of the repos in comment 0 are now decommissioned.

And hg.m.o from comment 2 now redirects and uses HSTS:

$ curl -IL http://hg.mozilla.org/
HTTP/1.1 301 Moved Permanently
...

HTTP/1.1 200 Script output follows
Strict-Transport-Security: max-age=31536000
...
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.