Closed Bug 1312135 Opened 9 years ago Closed 9 years ago

Enable HSTS on hg.mozilla.org

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

Attachments

(1 file)

hgserver: enable HTTP Strict Transport Security (HSTS) (bug 1312135);
58 bytes, text/x-review-board-request
fubar
: review+
Atoll
: review+
Details
Enabling HSTS on hg.mozilla.org seems like an obvious incremental security win before we shut off plain text completely in bug 450645. And atoll seems to agree in other channels :) The concerns about clients still using hg.mozilla.org:80 in bug 450645 relate to automated, non-browser clients. So, I can't imagine enabling HSTS (which will likely only impact browsers) will cause any significant breakage *knock on wood*. atoll: is enabling HSTS something you prefer to do on the load balancers? Or would you like the origin servers emitting the header? The only (minor) issue I see is response overhead on Mercurial protocol responses, which won't benefit from the header. We could filter those out by looking for "cmd?" in the URL or "mercurial/proto" in the User-Agent request header. But if people think it is better to make it a blanket setting, I totally understand.
Flags: needinfo?(rsoderberg)
I think Zeus is better equipped to conditionally set the header, and the origin servers are better equipped to always set the header. Either would be perfectly fine here, I'm available to help :fubar or anyone implement the conditional TS in stage if needed.
Flags: needinfo?(rsoderberg)
Comment on attachment 8803966 [details] hgserver: enable HTTP Strict Transport Security (HSTS) (bug 1312135); Looks good, assuming it works. We commonly see 5 minutes, 1 day, 1 year as the step-up intervals for HSTS - you start at 1 hour here, which is fine too.
Attachment #8803966 - Flags: review?(rsoderberg) → review+
If the initial rollout is 5 minutes elsewhere, let's do that here too. I also just announced the HSTS rollout to dev-version-control. Let's wait ~24 hours to give anyone time to raise concerns. I don't anticipate things going wrong with this service. But you never know.
Comment on attachment 8803966 [details] hgserver: enable HTTP Strict Transport Security (HSTS) (bug 1312135); https://reviewboard.mozilla.org/r/88154/#review87102
Attachment #8803966 - Flags: review?(klibby) → review+
Attachment #8803966 - Flags: review?(rsoderberg) → review+
Assignee: nobody → gps
Status: NEW → ASSIGNED
Pushed by gszorc@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/573476da2cb5 hgserver: enable HTTP Strict Transport Security (HSTS) ; r=fubar
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 1312797
This is deployed to production.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: