Closed Bug 689135 Opened 14 years ago Closed 14 years ago

Enable HSTS in mozillians

Categories

(Participation Infrastructure :: Phonebook, defect)

Product:
Participation Infrastructure
Component:
Phonebook
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mgoodwin, Assigned: davedash)

References

(
URL
)

Details

(Whiteboard: [infrasec:tls][ws:moderate] )

Issue: Mozillians does not make use of HTTP Strict Transport Security (HSTS). HSTS reduces the likelihood of a user falling victim to various man-in-the-middle scenarios; as such, its use is recommended. Steps to reproduce: 1) Enable developer console, turn on net logging 2) Log in to Pancake 3) View the requests listed in the console 4) Observe the lack of Strict-Transport-Security headers in the HTTP responses Recommended remediation: Configure the webserver (or application) to send a Strict-Transport-Security header. If possible, please set the includeSubDomains parameter.
OS: Mac OS X → All
Hardware: x86 → All
Sounds like a relatively simple middleware. In fact, here is one: <https://github.com/jsocol/commonware/blob/master/commonware/response/middleware.py>
Target Milestone: --- → 1.0
Target Milestone: 1.0 → ---
Assignee: nobody → dd
http://github.com/mozilla/mozillians/commit/8a2936a
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → 1.0
Whiteboard: [infrasec:bestpractice] [ws:moderate] → [infrasec:tls][ws:moderate]
Excellent, thanks.
Status: RESOLVED → VERIFIED
Group: mozilla-corporation-confidential
Component: mozillians.org → Phonebook
Product: Websites → Community Tools
QA Contact: mozillians-org → phonebook
Target Milestone: 1.0 → ---
Version: unspecified → other
You need to log in before you can comment on or make changes to this bug.