Closed
Bug 741534
Opened 13 years ago
Closed 13 years ago
Betafarm: Please set appropriate STS header
Categories
(Websites :: mozillalabs.com, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mgoodwin, Assigned: jfong)
References
Details
(Whiteboard: [infrasec:tls] [ws:low])
Issue:
BetaFarm is not using HSTS which would help ensure users can only access the site over HTTPS.
Remediation:
Add the necessary HTTP header to enforce HSTS. More information is available at the following link
https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security
|
||
Updated•13 years ago
|
Assignee: nobody → jfong
|
||
Comment 1•13 years ago
|
||
mgoodwin: it's not clear from comment #0 whether this is a release blocker or a nice-to-have. Can you clarify?
|
|
||
Comment 2•13 years ago
|
||
Mark can you provide some additional info on this, specifically a pointer to a mozilla django project that uses this.
Our developer is not sure what this is.
Thanks again.
|
|
||
Comment 3•13 years ago
|
||
Brandon, can you give us some feedback on this...jenn and pmac think this might fall to you.
If it does can you take this on, and also brief us on what this is for our own knowledge.
|
|
||
Comment 4•13 years ago
|
||
The link in comment 0 explains it -- it's basically to drive people towards the https URI, as I understand it.
Jen can do this by adding HTTP headers as Django middleware -- I'm just not sure a) specifically how that's done, and b) what the right values should be for max-age, and whether we need to do anything w/ subdomains.
|
||
Comment 5•13 years ago
|
||
I believe in the environments that are hosting -dev, -stage, and will host -prod (same OS, network, LB configs) we are adding sufficient headers to meet this requirement.
See the line "< Strict-Transport-Security: max-age=2592000" in the below curl output, let us know if we're missing a header to meet HSTS requirements
bburton@andesite ~$ curl -v https://mozillalabs-dev.allizom.org/ -o /dev/null ‹1.9.2-p290›
* About to connect() to mozillalabs-dev.allizom.org port 443 (#0)
* Trying 63.245.217.82... % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0connected
* Connected to mozillalabs-dev.allizom.org (63.245.217.82) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using RC4-SHA
* Server certificate:
* subject: serialNumber=QFblspylXort2BviK0LdJuDx7haU0SBy; C=US; ST=California; L=Mountain View; O=Mozilla Corporation; CN=*.allizom.org
* start date: 2011-10-10 22:11:59 GMT
* expire date: 2013-12-11 16:30:26 GMT
* subjectAltName: mozillalabs-dev.allizom.org matched
* issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: mozillalabs-dev.allizom.org
> Accept: */*
>
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0< HTTP/1.1 301 MOVED PERMANENTLY
< Date: Thu, 05 Apr 2012 17:09:28 GMT
< Server: Apache
< Strict-Transport-Security: max-age=2592000
< Vary: Accept-Language
< x-frame-options: DENY
< X-Content-Security-Policy: allow 'self'; options eval-script; img-src 'self' https://www.mozilla.org http://www.mozilla.org https://statse.webtrendslive.com; script-src 'self' http://browserid.org https://browserid.org https://statse.webtrendslive.com; font-src 'self' https://www.mozilla.org http://www.mozilla.org; style-src 'self' https://www.mozilla.org http://www.mozilla.org
< X-Backend-Server: node202
< Location: https://mozillalabs-dev.allizom.org/en-US/
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
<
0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0* Connection #0 to host mozillalabs-dev.allizom.org left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
|
|
||
Comment 6•13 years ago
|
||
Mark:
Please see Brandon's comment above. Can you let me know if we are good to close the bug. I want to be sure we are clear on infra/sec review for launch.
Many thanks!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 7•13 years ago
|
||
Apologies for going quiet on you; I was on PTO last week. I'll retest all of the issues for tomorrow AM (pacific time); assuming they're all fixed, you're good to go.
Thanks.
|
|
||
Comment 8•13 years ago
|
||
Mark can you verify or re-open this one. This is the only outstanding infrasec bug we have.
Thanks!
|
|
||
Updated•12 years ago
|
Component: Betafarm → mozillalabs.com
You need to log in
before you can comment on or make changes to this bug.
Description
•