Page MenuHomePhabricator
Create Task
Maniphest T270034

Send HSTS header on all Wordpress VIP-hosted domains
Open, MediumPublic
Actions

Description

Given that http redirects to https on diff.wikimedia.org, a HSTS header should probably be sent to force https connections.

I looks like this was set for blog.wikimedia.org in T105905 however it seems to not be sent after the move to diff

Related Objects

Event Timeline

Nintendofan885 created this task.Dec 13 2020, 4:25 PM
Restricted Application added a project: Traffic. · View Herald TranscriptDec 13 2020, 4:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Nintendofan885 renamed this task from HSTS header doesn't get sent on diff.wikimedia.org to Send HSTS header on diff.wikimedia.org.Dec 13 2020, 4:26 PM
Restricted Application added a project: SRE. · View Herald TranscriptDec 13 2020, 4:26 PM
Dzahn added a subscriber: Dzahn.Dec 14 2020, 6:07 PM

diff.wikimedia.org is an alias for blog-wikimedia-org.go-vip.net.

^ This is hosted outside WMF infrastructure, so Operations can't do much about this.

This would need involvement of the comms team.

BBlack added a subscriber: BBlack.Dec 14 2020, 7:09 PM

We probably should reach out to them and push on this, though. We do have standards that apply ( https://wikitech.wikimedia.org/wiki/HTTPS ), it's just been a while since we've manually audited everything like in https://wikitech.wikimedia.org/wiki/HTTPS/Domains

RLazarus claimed this task.Dec 18 2020, 4:53 PM
RLazarus added a subscriber: RLazarus.

Emailed Comms about it, will route this appropriately when I hear back.

RLazarus reassigned this task from RLazarus to Varnent.Dec 18 2020, 5:11 PM
RLazarus added a subscriber: Varnent.

Thanks @Varnent for offering to look at this, as our primary contact with VIP. It turns out two other VIP-hosted domains, techblog.wikimedia.org and wikimediaendowment.org, also don't set an HSTS header.

RLazarus renamed this task from Send HSTS header on diff.wikimedia.org to Send HSTS header on all VIP-hosted domains.Dec 18 2020, 5:11 PM
RLazarus triaged this task as Medium priority.
Aklapper renamed this task from Send HSTS header on all VIP-hosted domains to Send HSTS header on all Wordpress VIP-hosted domains.Dec 19 2020, 9:42 AM
Nintendofan885 added a project: Technical blog.Dec 29 2020, 4:16 PM
RhinosF1 added a subscriber: RhinosF1.Dec 29 2020, 5:27 PM
Krinkle added a subscriber: Krinkle.Jun 19 2021, 3:59 AM

I've added a row for this attribute to the table at https://office.wikimedia.org/wiki/WordPress.

In doing so, I checked the current state of things, which is:

  • wikimediafoundation.org: Done! – strict-transport-security: max-age=31536000;includeSubdomains;preload
  • policy.wikimedia.org: Done! - strict-transport-security: max-age=31536000; includeSubdomains; preload
  • wikimediaendowment.org: Not yet.
  • techblog.wikimedia.org: Not yet.
  • diff.wikimedia.org: Not yet.
BBlack moved this task from Triage to Icebox-Temp on the Traffic board.Oct 8 2021, 6:37 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Oct 8 2021, 8:04 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BBlack moved this task from Backlog to Complicated on the Traffic-Icebox board.Apr 13 2022, 7:52 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL