Closed
Bug 1203453
Opened 9 years ago
Closed 9 years ago
Enable HSTS and HSTS preloading for publicsuffix.org
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: annevk, Assigned: cliang)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1736] )
publicsuffix.org should be entered into https://hstspreload.appspot.com/ (and follow the requirements for that as listed).
Comment 2•9 years ago
|
||
To clarify, we're happy with setting up HSTS headers, that's not the issue at all. We're not entirely sure why you'd need HSTS preloading and once we setup HSTS, and if Gerv approves, you should be able to do that yourself.
Reporter | ||
Comment 3•9 years ago
|
||
I mentioned preloading because it requires setting a bit in the header that is not mentioned in the HSTS RFC. We want preloading because eventually we want to get rid of the non-HTTPS web.
(Ideally all our domains are setup this way by default, but I'm not sure where I would go to make that policy.)
Comment 4•9 years ago
|
||
If fox2mike and his crew are happy to support this site being HTTPS-only forever, then I am happy for it to be.
Gerv
Flags: needinfo?(gerv)
Assignee | ||
Updated•9 years ago
|
Assignee: server-ops-webops → cliang
Assignee | ||
Comment 5•9 years ago
|
||
Anne: I've set up HSTS headers for publicsuffix.org. [1] Can you please confirm that the headers are set the way you'd like?
You didn't specify a max-age in your request and the usual max-age we use is shorter than what is specified on the HSTS Preload submission page. I used the lowest max-age setting acceptable for the Chrome preload list.
[1] $ curl -D - -v https://publicsuffix.org/ 2>&1 | grep ^Strict
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
Flags: needinfo?(annevk)
Reporter | ||
Comment 6•9 years ago
|
||
Thank you, that's great! I see it's already been added too, very exciting.
Flags: needinfo?(annevk)
Comment 7•9 years ago
|
||
Can we increase the max-age to (at least) 180 days to make SSL Labs happy? There's no reason for it to be low at all, especially considering it's going to be on the HSTS preload list. In fact, you could easily make it the same as Twitter with 20 years (631138519 seconds).
Assignee | ||
Comment 8•9 years ago
|
||
I've increased the max-age to 180 days. [1] Given that almost all other Moz properties seem to use a much shorter-max age and it's hard to retreat from a longer max-age once it's been set, I'd want to see some more compelling arguments before setting it to something like 20 years.
Anne: Everything should be set for you to submit the site to HSTS preload list if you'd like.
[1] $ curl -D - -v https://publicsuffix.org/ 2>&1 | grep ^Strict
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Blocks: hsts-preload-everything
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•