Page MenuHomePhabricator

Enable TLS for mobileapps and implement the Strict-Transport-Security header
Closed, DuplicatePublic

Description

Follow-up from {T227114}

TLS/SSL

  1. The dev/local environment obviously doesn't make use of TLS, which is fine, but does the production environment? I'm not sure if there's an actual standard or best practice for Wikimedia services, but as a standard security best practice, I'd still at least recommend TLS even if there is no authn/z or sensitive data in transit. (risk: medium)

Event Timeline

MSantos created this task.Dec 12 2019, 5:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2019, 5:44 PM
Jhernandez triaged this task as Medium priority.Dec 18 2019, 4:54 PM
Jhernandez added a subscriber: Pchelolo.

@Pchelolo Apparently internal services are using https, should we update the node services template to do so in production? Thoughts?

Pchelolo added a subscriber: Joe.Dec 18 2019, 4:59 PM

@Jhernandez I guess it's a bigger group question then just me. We do occasionally use https for internal communications already, like RB->MW for example. I think we need to ask @Joe as he is planning to change the pattern for inter-service communication completely, so whatever we do needs to be coordinated with that project.

For reference, here are some notes on other services using encryption within the Wikimedia production environment: https://wikitech.wikimedia.org/wiki/User:Jbond/Encryption

Jhernandez removed a subscriber: Jhernandez.Apr 2 2020, 6:46 PM

Now that mobileapps is being moved to k8s, this seems to be supported now. @akosiaris can you confirm that information?

Related work is being tracked at T255876