sso.mozilla.com should be served with Strict Transport Security (HSTS)

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: IT-Managed Tools
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: dholbert, Assigned: w0ts0n)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3203], URL)

(Reporter)

Description

3 years ago
sso.mozilla.com should use Strict Transport Security, so that users can just type "sso.mozilla.com/gmail" into the URLbar and we don't have to worry about them getting MITM'd.

More information on Strict Transport Security here:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

(Basically, this is just a header we can send, to ask the browser to proactively upgrade all future HTTP connections to be HTTPS.)

We don't currently use it for sso.mozilla.com:
> Strict Transport Security (HSTS) 	No
https://www.ssllabs.com/ssltest/analyze.html?d=sso.mozilla.com

Updated

3 years ago
Assignee: nobody → infra
status-firefox41: affected → ---
Component: SSO → Infrastructure: SSO
Product: Webtools → Infrastructure & Operations
QA Contact: jdow
Version: Trunk → other

Comment 1

2 years ago
The HSTS header still isn't set for sso.mozilla.com.

Justin, please can we do this? :-)
Flags: needinfo?(jbryner)

Comment 2

2 years ago
(Oops wrong email for the needinfo, sorry for the noise)
Flags: needinfo?(jbryner) → needinfo?(jdow)

Comment 3

2 years ago
Moving over to webops to add to the sso.mozilla.com configuration.
Assignee: infra → server-ops-webops
Component: Infrastructure: SSO → WebOps: IT-Managed Tools
Flags: needinfo?(jdow)

Updated

2 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3203]

Updated

2 years ago
Assignee: server-ops-webops → rsoderberg
(Assignee)

Updated

2 years ago
Assignee: rsoderberg → rwatson
(Assignee)

Comment 4

2 years ago
curl -s -D- https://sso.mozilla.com
Strict-Transport-Security: max-age=315360000


from 
https://www.ssllabs.com/ssltest/analyze.html?d=sso.mozilla.com
Strict Transport Security (HSTS) 	Yes
(Assignee)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.