Closed
Bug 1441330
Opened 7 years ago
Closed 7 years ago
Syncing the Strict-Transport-Security header of srihash.org with www.srihash.org
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: francois, Assigned: joeyk)
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6297])
https://www.srihash.org (hosted on Heroku) has the following STS header:
$ curl --head https://www.srihash.org
...
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
whereas the redirect hosted on generic6.webapp.phx1.mozilla.com has the following one:
$ curl --head https://srihash.org
...
strict-transport-security: max-age=15768000
Could we change the srihash.org header to match the other one please?
We'd like to get this domain added in the HSTS preload list if possible.
Comment 1•7 years ago
|
||
I want to also add that the http to https redirect should be a 301 and not 307.
Comment 2•7 years ago
|
||
(In reply to xhmikosr@gmail.com from comment #1)
> I want to also add that the http to https redirect should be a 301 and not
> 307.
Is there a specific reason you want this to be a 301?
Comment 3•7 years ago
|
||
It's not a temporary redirect; it's a permanent one, so the HTTP status code should reflect this.
Assignee | ||
Comment 4•7 years ago
|
||
I haven't added the preload directive yet, as it could cause some issues. I pushed the following changes for now, I will wait a few days to make sure that all is well and we can work on adding it to the preload list:
The 301 is in effect and I edited the max-age to your request as well.
jkrejci-23847:puppet jkrejci$ git diff 20596e7708..9c3d4b1db1
diff --git a/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf b/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf
index ed51425a6a..c477bd0e06 100644
--- a/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf
+++ b/modules/webapp/files/genericrhel6/etc-httpd/domains/virtual-redirect.mozilla.org.conf
@@ -1809,7 +1809,7 @@ LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cook
Header always set Cache-Control "max-age=600"
RewriteEngine On
- RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=307,QSA]
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,QSA]
</VirtualHost>
<VirtualHost *:81>
ServerName https://srihash.org
@@ -1819,7 +1819,7 @@ LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cook
Redirect permanent / https://www.srihash.org/
- Header always set Strict-Transport-Security "max-age=15768000"
+ Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</VirtualHost>
Comment 5•7 years ago
|
||
Thanks! Now we have 2 issues:
1. We need the preload directive and make sure there's no trailing semicolon in the directive
2. `wwww.srihash.org` does not redirect to https; we need to do on our side I think, though
Comment 6•7 years ago
|
||
Now, that I think about it, it doesn't make any sense to send the HSTS header when we are not using https at all.
Assignee | ||
Comment 7•7 years ago
|
||
Hey xhmikosr,
Do you want me to still add the preload and HSTS then or get rid of it on my end? Im not sure what do here...
Let me know, thanks!
- Joey K
Flags: needinfo?(xhmikosr)
Comment 8•7 years ago
|
||
I think we got lost somewhere, both of us :)
For `https://srihash.org` the HSTS header should match what we have including `preload`.
So, I think after you add preload, this issue is solved from your side :)
The rest we'd need to handle on Heroku side and redirect `http://www.srihash.org` to https.
Flags: needinfo?(xhmikosr)
Assignee | ||
Comment 9•7 years ago
|
||
Ah okay, cool. Added the preload header!
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•