1312797 - Ramp up HSTS max-age on hg.mozilla.org

Status: RESOLVED FIXED

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Description

[Gregory Szorc [:gps]]

+++ This bug was initially created as a clone of Bug #1312135 +++

We deployed HSTS to hg.mozilla.org in bug 1312135 with a max-age of 5 minutes. We should ramp that up to like 1 year once we're confident HSTS will stick.

atoll: what's the usual ramp-up interval?

Comment 1

[:Atoll]

I would wait a day minimum. Sites with higher uncertainty might wait longer.

Comment 2

[Gregory Szorc [:gps]]

Attachment: hgserver: ramp up HSTS max-age to 1 hour (bug 1312797);

5 minutes seems to have been working with no reported issues for a
day. Let's increase things to 1 hour.

Next step after this will be 1 day, where we'll likely sit for a
week or so before going all in.

Review commit: https://reviewboard.mozilla.org/r/88672/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/88672/

Comment 3

[Kendall Libby [:fubar] (he/him)]

Comment on attachment 8804776 [details]
hgserver: ramp up HSTS max-age to 1 hour (bug 1312797);

https://reviewboard.mozilla.org/r/88672/#review87756

shipit

Comment 4

[Pulsebot]

Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/14faf1fd7673
hgserver: ramp up HSTS max-age to 1 hour ; r=fubar

Comment 5

[Pulsebot]

Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/8f758b8fb65c
hgserver: ramp up HSTS max-age to 1 day

Comment 6

[Gregory Szorc [:gps]]

We're now at max-age=86400 in production.

We'll let that run for a week or two before finalizing on 1 year or some such.

Comment 7

[Gregory Szorc [:gps]]

Attachment: hgserver: ramp up HSTS to 1 year (bug 1312797);

We've been running HSTS at max-age=1 day for ~2 weeks without any
issues. I think it's time to go all in and increase it to 1 year.

Review commit: https://reviewboard.mozilla.org/r/93518/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/93518/

Comment 8

[Kendall Libby [:fubar] (he/him)]

Comment on attachment 8811429 [details]
hgserver: ramp up HSTS to 1 year (bug 1312797);

https://reviewboard.mozilla.org/r/93518/#review93600

Comment 9

[Pulsebot]

Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/1af87f1ccc18
hgserver: ramp up HSTS to 1 year ; r=fubar

Comment 10

[Gregory Szorc [:gps]]

I deployed the HSTS to 1 year change to production.

Comment 11

[Firefox Bug Husbandry Bot]

Removing leave-open keyword from resolved bugs, per :sylvestre.