Page MenuHomePhabricator

Enable HSTS on https://payments.wikimedia.org
Closed, ResolvedPublic

Description

payments.wikimedia.org is HTTPS only. So how about enabling HTTP Strict Transport Security?

Event Timeline

Chmarkine raised the priority of this task from to Needs Triage.
Chmarkine updated the task description. (Show Details)
Chmarkine added a subscriber: Chmarkine.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2015, 3:31 AM
Chmarkine set Security to None.Jan 31 2015, 3:33 AM
Chmarkine added subscribers: Jgreen, JanZerebecki, Dzahn, Matanya.
Jgreen triaged this task as Normal priority.Feb 2 2015, 2:38 PM
Dzahn added a comment.Feb 2 2015, 8:51 PM

what you need for this:

  • ensure mod_headers is loaded in Apache
  • a config line like: Header set Strict-Transport-Security "max-age=31536000"

before we did this on other services csteipp recommended to start with a lower max-age, like one week, and then raise it to 1yr. qualys ssl check will like you only if it is at least 6 months or it will call it "too short"

careful, because this can't be reverted

Jgreen added a comment.Feb 3 2015, 6:49 PM

for nginx: add_header Strict-Transport-Security max-age=31536000;

Jgreen added a subscriber: K4-713.Feb 3 2015, 7:02 PM
Jgreen closed this task as Resolved.Feb 3 2015, 7:27 PM
Jgreen claimed this task.

this is done. we start at 30 days