[[HTTP Strict Transport Security]] header should be sent by MediaWiki.
Version: unspecified
Severity: enhancement
[[HTTP Strict Transport Security]] header should be sent by MediaWiki.
Version: unspecified
Severity: enhancement
This will seemingly also require some server side configuration for it to be enabled on WMF projects
(In reply to comment #1)
will also require some server side configuration on WMF projects
Covered in bug 38516
The extension HSTS https://www.mediawiki.org/wiki/Extension:HSTS does exactly this (adding STS header) with some possibility to customise it per user, by means of BetaFeature if it is installed or a classical preference else.
Does it answer to the bug, or should it stay open to discuss about adding HSTS in MediaWiki core? (for the Wikimedia sites, see bug 38516.)
Since this bug is about MW and/or extensions rather than Wikimedia's infrastructure, I don't feel it's my place to close this off either. But I'll my add my $0.02 in any case: