https://mozilla.org is a redirect to https://www.mozilla.org. For proper implementation of HSTS we need that 301 response to contain the following header: Strict-Transport-Security: max-age=300 We'll start with a short max-age (5 min. above), then once we're confident that this hasn't negatively impacted traffic we can move it to a day (86400), and then the max (a year, 31536000). This is what we did for www.mozilla.org and it worked well and is far less risky than going with the full year to start.
I talked to :ulfr, and he (like myself) can't think of any problems we might have doing this on mozilla.com either. So let's set that header for https://mozilla.org/ and https://mozilla.com/, starting at 300. Thanks!
https://mozilla.com now redirects to https://www.mozilla.com with the HSTS header set to 300. https://mozilla.org is a little more complicated and I will hold off until next week when I can get more review.
I see the HSTS header, but I also see an extra slash in the location now: $ curl -I https://mozilla.com HTTP/1.1 302 Moved Temporarily X-Backend-Server: TS Content-Type: text/plain Strict-Transport-Security: max-age=300 Date: Fri, 16 Sep 2016 20:27:32 GMT Location: https://www.mozilla.com// Connection: Keep-Alive Content-Length: 0
That extra slash existed before this work, and is an unrelated concern. You're welcome to file a separate bug about it if it's essential that we repair it, but it has no material impact on the Observatory score.
https://mozilla.org now redirects to https://www.mozilla.org with HSTS headers set. This was done with TrafficScript in the "https-redirect (VS:www.mozilla.org) 2016-10-04" rule.
Nice work, :ericz! Are we planning on increasing the max-age slowly with the same time table as we did for www.mozilla.org? Thanks!
Yes April, in a few days pmac and I will bump it up a bit.
I think we're ready to bump it up to the next level (86400) whenever you are. Thanks again :ericz!
HSTS value bumped up to 86400.
See Also: → bug 1299816
I think we're ready to bump to the final value (31536000). All seems well so far. Thanks again Eric.
::high fives all around::
HSTS value bumped to 31536000. \o/
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.