Closed Bug 1143977 Opened 9 years ago Closed 8 years ago

Recommend increasing Strict-Transport-Security max-age to 15552000, includeSubdomains and get on Chromium HSTS preload list

Categories

(Cloud Services Graveyard :: Find My Device, defect)

Product:
Cloud Services Graveyard
Component:
Find My Device
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jrgm, Unassigned)

Details

I realize this somewhat overlaps with https://bugzilla.mozilla.org/show_bug.cgi?id=1143892, but FMD has an STS header, but it should be like this:

> Strict-Transport-Security: max-age=15552000; includeSubdomains

$ curl -H 'connection: close' -s -X HEAD -D - https://find.firefox.com/ 
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=86400
Date: Tue, 17 Mar 2015 02:13:26 GMT
Content-Type: text/html; charset=utf-8
Connection: close

Also, once that is in place, a request should be made to get find.firefox.com on the STS preload list maintained by chromium.org. (@see https://bugzilla.mozilla.org/show_bug.cgi?id=958313)

/cc :francois
BTW, I believe that the (new) way to request inclusion on the preload list is through https://hstspreload.appspot.com/
Product sunset
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.