$ curl -H 'connection: close' -s -X HEAD -D - https://hello.firefox.com/ HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 6956 Content-Security-Policy: frame-ancestors 'self' Content-Type: text/html Date: Tue, 17 Mar 2015 02:05:39 GMT ETag: "54ff3e83-1b2c" Last-Modified: Tue, 10 Mar 2015 18:57:07 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Token-Match: 1 Connection: Close That is missing a header like this (and probably should be exactly this max-age with includeSubdomains): Strict-Transport-Security: max-age=15552000; includeSubdomains
Also, once that is in place, a request should be made to get find.firefox.com on the STS preload list maintained by chromium.org. (@see https://bugzilla.mozilla.org/show_bug.cgi?id=958313) /cc :francois
Summary: Must use Strict-Transport-Security headers → Must use Strict-Transport-Security headers and get on Chromium HSTS preload list
BTW, I believe that the (new) way to request inclusion on the preload list is through https://hstspreload.appspot.com/
This is not related to the server code, but rather do the deployment of the web frontend, assigning to ops.
Component: Server → Operations
Product: Loop → Mozilla Services
Taking this bug.
Assignee: nobody → bobm
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.