Closed Bug 671992 Opened 14 years ago Closed 14 years ago

Enable Strict Transport Security to Enhance Connection Security

Categories

(Mozilla Labs :: Identity, defect)

Product:
Mozilla Labs
Component:
Identity
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Assigned: benadida)

References

(
URL
)

Details

(Whiteboard: [infrasec:tls][ws:moderate])

Issue The browserid.org website is not leveraging the additional security benefits provided by HTTP Strict Transport Security. This feature can be easily added and will ensure that browsers that support HSTS can not be fooled into establishing an insecure communication (such as from a man in the middle attack) with https://browserid.org/ Recommended Remediation Implement STS for the domain browserid.org and also include the subdomain flag. This can be achieved by adding the response header "Strict-Transport-Security" for all responses. Note: this will apply to all HTTP interaction with this domain and subdomains. Please ensure this will work correctly if any other pages are located at this domain but not associated with account portal. Additional information https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security
Assignee: nobody → benadida
this is now committed in the dev branch, should be deployed in dev next Thursday.
this is now fixed in production.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Opening since this is no longer an issue.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.