Page MenuHomePhabricator

Send HSTS header on all Wordpress VIP-hosted domains
Closed, ResolvedPublic

Description

Given that http redirects to https on diff.wikimedia.org, a HSTS header should probably be sent to force https connections.

I looks like this was set for blog.wikimedia.org in T105905 however it seems to not be sent after the move to diff

  • diff.wikimedia.org
  • techblog.wikimedia.org
  • wikimediaendowment.org
  • one.wikimedia.org
  • policy.wikimedia.org
  • soundlogo.wikimedia.org
  • wikimediafoundation.org

https://office.wikimedia.org/wiki/WordPress also contains a row detailing support

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Nintendofan885 renamed this task from HSTS header doesn't get sent on diff.wikimedia.org to Send HSTS header on diff.wikimedia.org.Dec 13 2020, 4:26 PM

diff.wikimedia.org is an alias for blog-wikimedia-org.go-vip.net.

^ This is hosted outside WMF infrastructure, so Operations can't do much about this.

This would need involvement of the comms team.

We probably should reach out to them and push on this, though. We do have standards that apply ( https://wikitech.wikimedia.org/wiki/HTTPS ), it's just been a while since we've manually audited everything like in https://wikitech.wikimedia.org/wiki/HTTPS/Domains

RLazarus subscribed.

Emailed Comms about it, will route this appropriately when I hear back.

RLazarus added a subscriber: Varnent.

Thanks @Varnent for offering to look at this, as our primary contact with VIP. It turns out two other VIP-hosted domains, techblog.wikimedia.org and wikimediaendowment.org, also don't set an HSTS header.

RLazarus renamed this task from Send HSTS header on diff.wikimedia.org to Send HSTS header on all VIP-hosted domains.Dec 18 2020, 5:11 PM
RLazarus triaged this task as Medium priority.
Aklapper renamed this task from Send HSTS header on all VIP-hosted domains to Send HSTS header on all Wordpress VIP-hosted domains.Dec 19 2020, 9:42 AM

I've added a row for this attribute to the table at https://office.wikimedia.org/wiki/WordPress.

In doing so, I checked the current state of things, which is:

  • wikimediafoundation.org: Done! – strict-transport-security: max-age=31536000;includeSubdomains;preload
  • policy.wikimedia.org: Done! - strict-transport-security: max-age=31536000; includeSubdomains; preload
  • wikimediaendowment.org: Not yet.
  • techblog.wikimedia.org: Not yet.
  • diff.wikimedia.org: Not yet.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Thanks @Varnent for offering to look at this

Any plans to still do that?

I believe it is in pipeline for any requests lingering - but probably best to check with @CKoerner_WMF for diff. For the other two - while not her direct projects - might be good to loop in @Sbenchagra.

@Dzahn Thanks for following up. I am just seeing this ticket. I will follow up and get back to you.

@Dzahn

techblog.wikimedia.org
one.wikimedia.org
diff.wikimedia.org
wikimediaendowment.org

should be good. Please confirm. Thanks

Hi @Sbenchagra,

thank you very much for that. Yes, I can confirm generally all 4 have HSTS headers now/meanwhile. That is great!

There is some detail to it though that I'd like to check because currently we have a very similar ticket for store.wikimedia.org and there just the other day over at T128559#8618787 it has been said that the desired header is:

strict-transport-security: max-age=106384710; includeSubDomains; preload

our current status here is:

diff.wikimedia.org: max-age=31536000;includeSubdomains;preload
one.wikimedia.org: max-age=31536000;includeSubdomains;preload
wikimediaendowment.org: max-age=31536000;includeSubdomains;preload

techblog.wikimedia.org: max-age=31536000

Let me add @Vgutierrez.

Hi Valentin, see above. do you think "max-age=31536000;includeSubdomains;preload" is fine even if it's not "age=106384710" which you said is desired on the other ticket? What about techblog though which does not have the "includeSubdomains;preload" part that we ask for on store.wikimedia.org

Of course the ticket just says "Send HSTS header" and by a strict definition that is already resolved now.

(used for test: https://geekflare.com/tools/test/6y91adc704a22skkiha3zesc7w65dsix)

@BCornwall I realize "Traffic-Icebox" has been removed but consulting input from traffic would still be valuable for this one. Should we close it as resolved or should we ask for the same standard that is applied to store.wikimedia.org on T128559.

@Dzahn techblog should now have "includeSubdomains;preload"

@Dzahn Happy to give consultation where needed but since we don't manage any of the sites I figured we needn't be added. Truthfully, I'm not sure who even manages this :)

I unmarked soundlogo.wm.o as done:

$ curl -sI https://soundlogo.wikimedia.org | grep strict-transport-security
strict-transport-security: max-age=31536000

We still need ;includeSubdomains;preload appended to it!

soundlogo.wikimedia.org is now done!

Hi, @Sbenchagra, thanks for doing this. I'm still unable to confirm that soundlogo has ;includeSubdomains;preload in the header. Maybe a forgotten "save" click? :)

Also, if you have the wherewithall, the max-age should be increased to 106384710 on all the domains. Would you be willing to do that?

Hi @BCornwall, Not a forgotten "save" click. There might be a delay, since it was done about 30 minutes ago. Maybe check in a few?

Yep, seems to have been a delay. It's active now! Thanks for doing all that, @Sbenchagra

Hate to be a pest, but would you also be willing to increase the max-age to 106384710 for us? That would be wonderful :)

Great! No worries @BCornwall! Let me get back to you on that. Thank you

@BCornwall the max-age has been increased to 106384710. Could you confirm all looks good?

Perfect! Thanks so much for your magic hands and making this a reality, @Sbenchagra.

You are welcome! I am curious @BCornwall, why did it take more than two years for this task to be completed?

Good question. I fear I'm not equipped to give an authoritative answer, but generally low priority combined with ownership doubts (who owns these assets and tasks when they're managed by not-SRE?) means tickets like these are more likely to become neglected. SRE is typically overburdened: Old, unactioned tickets are an unfortunate reality. However, efforts are ongoing to improve our processes for more effective ticket management.

If there are other tickets you feel have stagnated and need action, feel free to bring them to my attention and I'll do my best to aid its resolution.

Hope that helps.

Thank you @BCornwall! Same, please flag any tickets that need my attention. Three months ago, I started managing the Foundation's website, and overseeing the non-wiki websites. Thanks again

@Sbenchagra and @BCornwall Thank you soooo much for resolving this. It's great to see long-standing tickets closed.

@Sbenchagra regarding why it took so long, I am not sure either what happened between T270034#6701939 and T270034#8615816 but I think it was scheduled low priority in comms? It's hard to tell because we don't use the same system to work on tickets.