Add mozillians.org to the HSTS preload list

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: emorley, Assigned: nemo-yiannis)

Tracking

(Blocks: 1 bug)

Details

(Reporter)

Description

2 years ago
Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves.

Rough steps:
1) Identify mozillians.org subdomains that don't yet support HTTPS and file dependant bugs to fix them.
2) Ensure the apex/root domain (https://mozillians.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/
3) Submit the domain using that same tool

In the case of Mozillians I'm presuming subdomains aren't an issue since the apex domain already sets `includeSubdomains`, and so all is left is adding the `preload` directive to satisfy #2.

$ curl -IL mozillians.org
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Wed, 29 Mar 2017 01:10:36 GMT
Location: https://mozillians.org/
Connection: Keep-Alive
Content-Length: 0

HTTP/1.1 301 MOVED PERMANENTLY
Server: Apache
X-Backend-Server: python3.webapp.phx1.mozilla.com
Vary: Accept-Language,X-Mobile,User-Agent, Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Security-Policy: <SNIP>
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 29 Mar 2017 01:10:37 GMT
Location: https://mozillians.org/en-US/
x-xss-protection: 1; mode=block
Transfer-Encoding: chunked
x-content-type-options: nosniff
Connection: Keep-Alive
X-Frame-Options: DENY
X-Cache-Info: caching
(Assignee)

Comment 1

2 years ago
(cc'ing :ericz)

We are not handling HSTS headers in our codebase. I think that its implemented in the loadbalancer level.
Regarding other domains, we are only using mozillians.org so I don't think we define any subdomains in our zone.

:ericz

Can you help us with this? Should I move this bug to another component?
Flags: needinfo?(eziegenhorn)
(Reporter)

Comment 2

2 years ago
I can't see the HSTS header being set anywhere in the IT puppet repo (eg the mozillians Apache config), so guessing it must be added by ZLB?
It's not set in Apache or Zeus as far as I can see, and I do see it when I hit the webhead directly so I believe it is coming from your app, can you check again please?

[eziegenhorn@python1.webapp.phx1 ~]$ curl -sIH'Host: mozillians.org' localhost:81/en-US/ | grep -i strict
Strict-Transport-Security: max-age=31536000; includeSubDomains
[eziegenhorn@python1.webapp.phx1 ~]$ grep -i strict /etc/httpd/mozilla/domains/mozillians.org.conf
[eziegenhorn@python1.webapp.phx1 ~]$
Flags: needinfo?(eziegenhorn)
(Assignee)

Comment 4

2 years ago
You are right, I was grepping the wrong middleware. Apparently we are handling this:

> $ grep -R "StrictTransportMiddleware" mozillians 
> mozillians/settings/base.py:    'commonware.response.middleware.StrictTransportMiddleware'
(Reporter)

Comment 5

2 years ago
That comes from:
https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L42-L58

...which doesn't support the `preload` directive.

Django actually now supports most of the things that package provides (and that package isn't maintained), so I'd recommend switching away from it in the future.

I added support for the `preload` directive to Django 1.11 (soon to be released), but that doesn't help here.

Short term I'd suggest just adding a custom middleware to the repo cribbed from the Django 1.11 version:
https://github.com/django/django/blob/stable/1.11.x/django/middleware/security.py#L31-L38
(Assignee)

Updated

2 years ago
Assignee: nobody → jgiannelos

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

2 years ago
Many thanks! Looks good on dev:

$ curl -IsSf https://mozillians-dev.allizom.org/ | grep -i strict
strict-transport-security: max-age=31536000; includeSubDomains; preload

Reopening bug since once on prod the site will need submitting using the form here:
https://hstspreload.org/?domain=mozillians.org
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 8

2 years ago
Sounds good. I will make sure to submit the form when it reaches prod and close that bug.
(Assignee)

Comment 9

2 years ago
Closing this bug after submitting the form.
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.