Mostly we need to figure out if the HSTS header will be added by an intermediate service (varnish, k8s ingress, etc) or should be emitted directly from the Toolhub backend.
|Open||None||T288685 Establish active/active multi-dc support for Toolhub|
|Resolved||bd808||T115650 Create an authoritative and well promoted catalog of Wikimedia tools|
|Open||bd808||T271483 Complete and announce initial production deployment of Toolhub|
|Resolved||bd808||T288557 Ensure that production deployment includes a Strict-Transport-Security header for toolhub.wikimedia.org|
That makes sense as the CDN edge is in control of the TLS certificates and encryption to the browser. I will leave this open until we can verify that the header is indeed being added as expected. That will be possible after we connect the CDN edge to the Kubernetes service to create in ingress for https://toolhub.wikimedia.org/.