Page MenuHomePhabricator

enable HSTS on *.planet.wikimedia.org
Closed, ResolvedPublic

Description

T132521 and https://wikitech.wikimedia.org/wiki/HTTPS/domains say, among many other things, that:

*.planet.wikimedia.org does not have HSTS enabled.

enable it

Event Timeline

Dzahn created this task.Apr 13 2016, 5:09 AM
Restricted Application added a project: Operations. · View Herald TranscriptApr 13 2016, 5:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Poyekhali triaged this task as Normal priority.Apr 13 2016, 5:11 AM
Dzahn added a comment.Apr 13 2016, 5:14 AM

looking at the config i already see:

13 Header always set Strict-Transport-Security "max-age=604800"

isn't it already enabled?

Dzahn closed this task as Invalid.Apr 13 2016, 5:20 AM

already resolved/invalid

it's enabled and *.planet. uses use standard cache cluster termination, it's misc-web, besides having a separate wildcard cert, so doesnt really belong to T132521 and:

Strict Transport Security (HSTS) Yes

https://www.ssllabs.com/ssltest/analyze.html?d=es.planet.wikimedia.org&s=208.80.153.248
https://www.ssllabs.com/ssltest/analyze.html?d=es.planet.wikimedia.org&latest

Dzahn added a comment.EditedApr 13 2016, 5:22 AM

@Pokefan95 do me a favor and update https://wikitech.wikimedia.org/wiki/HTTPS/domains ? can't login on wikitech due to lack of second factor . thanks

@Dhann: Doing...

Dzahn changed the task status from Invalid to Resolved.Apr 13 2016, 5:29 AM

@Pokefan95 thank you , then there was actually something to resolve, heh

Dzahn added a comment.Apr 13 2016, 5:35 AM

the change that enabled this was https://gerrit.wikimedia.org/r/#/c/253758/ on 2015-11-18

Poyekhali added a comment.EditedApr 13 2016, 5:36 AM

@Dzhan: For now, I just changed it from "No" to "Yes" (https://wikitech.wikimedia.org/w/index.php?title=HTTPS/domains&diff=433393&oldid=200991). What is the duration of the HSTS?

Ah, ok, thanks