Page MenuHomePhabricator

Send HSTS header on all Wordpress VIP-hosted domains
Open, MediumPublic

Description

Given that http redirects to https on diff.wikimedia.org, a HSTS header should probably be sent to force https connections.

I looks like this was set for blog.wikimedia.org in T105905 however it seems to not be sent after the move to diff

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Nintendofan885 renamed this task from HSTS header doesn't get sent on diff.wikimedia.org to Send HSTS header on diff.wikimedia.org.Dec 13 2020, 4:26 PM

diff.wikimedia.org is an alias for blog-wikimedia-org.go-vip.net.

^ This is hosted outside WMF infrastructure, so Operations can't do much about this.

This would need involvement of the comms team.

We probably should reach out to them and push on this, though. We do have standards that apply ( https://wikitech.wikimedia.org/wiki/HTTPS ), it's just been a while since we've manually audited everything like in https://wikitech.wikimedia.org/wiki/HTTPS/Domains

RLazarus added a subscriber: RLazarus.

Emailed Comms about it, will route this appropriately when I hear back.

RLazarus added a subscriber: Varnent.

Thanks @Varnent for offering to look at this, as our primary contact with VIP. It turns out two other VIP-hosted domains, techblog.wikimedia.org and wikimediaendowment.org, also don't set an HSTS header.

RLazarus renamed this task from Send HSTS header on diff.wikimedia.org to Send HSTS header on all VIP-hosted domains.Dec 18 2020, 5:11 PM
RLazarus triaged this task as Medium priority.
Aklapper renamed this task from Send HSTS header on all VIP-hosted domains to Send HSTS header on all Wordpress VIP-hosted domains.Dec 19 2020, 9:42 AM

I've added a row for this attribute to the table at https://office.wikimedia.org/wiki/WordPress.

In doing so, I checked the current state of things, which is:

  • wikimediafoundation.org: Done! – strict-transport-security: max-age=31536000;includeSubdomains;preload
  • policy.wikimedia.org: Done! - strict-transport-security: max-age=31536000; includeSubdomains; preload
  • wikimediaendowment.org: Not yet.
  • techblog.wikimedia.org: Not yet.
  • diff.wikimedia.org: Not yet.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!