Closed Bug 1441330 Opened 7 years ago Closed 7 years ago

Syncing the Strict-Transport-Security header of srihash.org with www.srihash.org

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: francois, Assigned: joeyk)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6297])

https://www.srihash.org (hosted on Heroku) has the following STS header: $ curl --head https://www.srihash.org ... Strict-Transport-Security: max-age=31536000; includeSubDomains; preload whereas the redirect hosted on generic6.webapp.phx1.mozilla.com has the following one: $ curl --head https://srihash.org ... strict-transport-security: max-age=15768000 Could we change the srihash.org header to match the other one please? We'd like to get this domain added in the HSTS preload list if possible.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6297]
I want to also add that the http to https redirect should be a 301 and not 307.
(In reply to xhmikosr@gmail.com from comment #1) > I want to also add that the http to https redirect should be a 301 and not > 307. Is there a specific reason you want this to be a 301?
It's not a temporary redirect; it's a permanent one, so the HTTP status code should reflect this.
Assignee: server-ops-webops → jkrejci
I haven't added the preload directive yet, as it could cause some issues. I pushed the following changes for now, I will wait a few days to make sure that all is well and we can work on adding it to the preload list: The 301 is in effect and I edited the max-age to your request as well. jkrejci-23847:puppet jkrejci$ git diff 20596e7708..9c3d4b1db1 diff --git a/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf b/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf index ed51425a6a..c477bd0e06 100644 --- a/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf +++ b/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf @@ -1809,7 +1809,7 @@ LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cook Header always set Cache-Control "max-age=600" RewriteEngine On - RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=307,QSA] + RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,QSA] </VirtualHost> <VirtualHost *:81> ServerName https://srihash.org @@ -1819,7 +1819,7 @@ LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cook Redirect permanent / https://www.srihash.org/ - Header always set Strict-Transport-Security "max-age=15768000" + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" </VirtualHost>
Thanks! Now we have 2 issues: 1. We need the preload directive and make sure there's no trailing semicolon in the directive 2. `wwww.srihash.org` does not redirect to https; we need to do on our side I think, though
Now, that I think about it, it doesn't make any sense to send the HSTS header when we are not using https at all.
Hey xhmikosr, Do you want me to still add the preload and HSTS then or get rid of it on my end? Im not sure what do here... Let me know, thanks! - Joey K
Flags: needinfo?(xhmikosr)
I think we got lost somewhere, both of us :) For `https://srihash.org` the HSTS header should match what we have including `preload`. So, I think after you add preload, this issue is solved from your side :) The rest we'd need to handle on Heroku side and redirect `http://www.srihash.org` to https.
Flags: needinfo?(xhmikosr)
Ah okay, cool. Added the preload header! Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.