Page MenuHomePhabricator
Create Task
Maniphest T132543

enable HSTS on *.planet.wikimedia.org
Closed, ResolvedPublic
Actions

Description

T132521 and https://wikitech.wikimedia.org/wiki/HTTPS/domains say, among many other things, that:

*.planet.wikimedia.org does not have HSTS enabled.

enable it

Related Objects
Search...

Event Timeline

Dzahn created this task.Apr 13 2016, 5:09 AM
Restricted Application added a project: SRE. · View Herald TranscriptApr 13 2016, 5:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Poyekhali triaged this task as Medium priority.Apr 13 2016, 5:11 AM
Dzahn added a comment.Apr 13 2016, 5:14 AM

looking at the config i already see:

13 Header always set Strict-Transport-Security "max-age=604800"

isn't it already enabled?

Dzahn closed this task as Invalid.Apr 13 2016, 5:20 AM

already resolved/invalid

it's enabled and *.planet. uses use standard cache cluster termination, it's misc-web, besides having a separate wildcard cert, so doesnt really belong to T132521 and:

Strict Transport Security (HSTS) Yes

https://www.ssllabs.com/ssltest/analyze.html?d=es.planet.wikimedia.org&s=208.80.153.248
https://www.ssllabs.com/ssltest/analyze.html?d=es.planet.wikimedia.org&latest

Dzahn added a comment.EditedApr 13 2016, 5:22 AM

@Pokefan95 do me a favor and update https://wikitech.wikimedia.org/wiki/HTTPS/domains ? can't login on wikitech due to lack of second factor . thanks

Dzahn added a subscriber: Poyekhali.Apr 13 2016, 5:22 AM
Poyekhali added a comment.Apr 13 2016, 5:29 AM

@Dhann: Doing...

Dzahn changed the task status from Invalid to Resolved.Apr 13 2016, 5:29 AM
Dzahn added a parent task: T40516: Enable HSTS on Wikimedia sites.

@Pokefan95 thank you , then there was actually something to resolve, heh

Dzahn added a comment.Apr 13 2016, 5:35 AM

the change that enabled this was https://gerrit.wikimedia.org/r/#/c/253758/ on 2015-11-18

Poyekhali added a comment.EditedApr 13 2016, 5:36 AM

@Dzhan: For now, I just changed it from "No" to "Yes" (https://wikitech.wikimedia.org/w/index.php?title=HTTPS/domains&diff=433393&oldid=200991). What is the duration of the HSTS?

Dzahn added a comment.Apr 13 2016, 5:39 AM

it's max-age=31536000 (from https://www.ssllabs.com/ssltest/analyze.html?d=es.planet.wikimedia.org&s=208.80.153.248) so that means 1yr

Poyekhali added a comment.Apr 13 2016, 5:39 AM

Ah, ok, thanks

Dzahn added a project: Wikimedia-Planet.Mar 5 2019, 10:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL