Closed Bug 1310813 Opened 8 years ago Closed 8 years ago

Enable HSTS with preloading on people-mozilla.org

Categories

(Infrastructure & Operations :: Infrastructure: Other, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: bhourigan)

References

Details

people-mozilla.org should only serve traffic over HTTPS, entirely deprecating support for HTTP content-serving as is currently supported at http://people.mozilla.org. Please set the HTTPS virtualhost for people-mozilla.org (*not* people.mozilla.org, people.mozilla.com, or http:// anything) to include the following line: Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Once that header is live and being served at https://people-mozilla.org/, please submit the site to the HSTS Preload list, which will ensure that it's compiled into all modern browsers as HTTPS-only: https://hstspreload.appspot.com/ This will have a material effect on your HTTP Observatory score on the riskheatmap dashboard.
This was shipped on 10/31 during the people-mozilla.org redirect maintenance. I refreshed the score on the HTTP Observatory and it's now a D+.
Assignee: infra → bhourigan
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reopening for the second part of the request - please go to: https://hstspreload.appspot.com/?domain=people-mozilla.org And complete that set of steps. This will force browsers to HTTPS to all URLs at that domain regardless of what the user types.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Also, I filed https://github.com/mozilla/http-observatory/issues/159 to have observatory warn us of miscapitalized HSTS header attribute names, because that's an easy thing to catch.
(In reply to Richard Soderberg [:atoll] from comment #2) > Reopening for the second part of the request - please go to: > > https://hstspreload.appspot.com/?domain=people-mozilla.org > > And complete that set of steps. This will force browsers to HTTPS to all > URLs at that domain regardless of what the user types. Thanks for that, I went ahead and fixed the case issue in 1b6702d26c60042f1e171d729a845a3a21f14cea. I verified it showed as fixed and completed the steps. (In reply to Richard Soderberg [:atoll] from comment #3) > Also, I filed https://github.com/mozilla/http-observatory/issues/159 to have > observatory warn us of miscapitalized HSTS header attribute names, because > that's an easy thing to catch. Great!
All good here, then :)
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.