payments.wikimedia.org
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Chmarkine
	Jan 31 2015, 3:31 AM

Description

payments.wikimedia.org is HTTPS only. So how about enabling HTTP Strict Transport Security?

Related Objects
Search...

Status	Assigned	Task
Resolved	BBlack	T104681 HTTPS Plans (tracking / high-level info)
Resolved	BBlack	T104244 Preload HSTS
Resolved	BBlack	T40516 Enable HSTS on Wikimedia sites
Resolved	Jgreen	T88199 Enable HSTS on https://payments.wikimedia.org

Event Timeline

Chmarkine created this task.Jan 31 2015, 3:31 AM

Chmarkine raised the priority of this task from to Needs Triage.

Chmarkine updated the task description. (Show Details)

Chmarkine added projects: HTTPS, Wikimedia-Fundraising.

Chmarkine subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2015, 3:31 AM

Chmarkine set Security to None.Jan 31 2015, 3:33 AM

Chmarkine added subscribers: Jgreen, JanZerebecki, Dzahn, Matanya.

Chmarkine added a parent task: T40516: Enable HSTS on Wikimedia sites.Jan 31 2015, 3:36 AM

Liuxinyu970226 subscribed.Jan 31 2015, 7:32 AM

Jgreen triaged this task as Medium priority.Feb 2 2015, 2:38 PM

what you need for this:

ensure mod_headers is loaded in Apache

a config line like: Header set Strict-Transport-Security "max-age=31536000"

before we did this on other services csteipp recommended to start with a lower max-age, like one week, and then raise it to 1yr. qualys ssl check will like you only if it is at least 6 months or it will call it "too short"

careful, because this can't be reverted

for nginx: add_header Strict-Transport-Security max-age=31536000;

Jgreen added a subscriber: K4-713.Feb 3 2015, 7:02 PM