Implement Strict-Transport-Security headers to force HTTPS access on Bugzilla

RESOLVED FIXED

Status

()

RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: clyon, Assigned: reed)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
There should be a way to do this header off the zeus where we set the header for STS. Can we do this for Bugzilla? Not a major rush but would need to do soon. 

The header should look like this:
Strict-Transport-Security: max-age=###
where ### delta-seconds, high enough that most people will visit AMO
before the expiry date.

BTW, there is a bug in for Bugzilla the application to do this but not sure they have a priority on this.
(Assignee)

Comment 1

8 years ago
We generally try not to create duplicate bugs for things that are really upstream issues.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 562475
(Reporter)

Comment 2

8 years ago
This is for the Zeus, not for the Bugzilla code. Reopening..
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Assignee)

Updated

8 years ago
Depends on: 562475
(Assignee)

Comment 3

8 years ago
Created attachment 454203 [details] [diff] [review]
patch - v1

Backport of upstream patch to 3.6 plus a few bmo-only changes.
Assignee: nobody → reed
Status: REOPENED → ASSIGNED
(Assignee)

Comment 4

8 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bmo/3.6/
modified Bugzilla/CGI.pm
modified Bugzilla/Constants.pm
Committed revision 7109.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago8 years ago
Depends on: 558044
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.