Task #1086
closedenable HTTP Strict Transport Security
0%
Description
We should think about enabling HTTP Strict Transport Security
Updated by Guilhem Moulin over 4 years ago
- Category set to Webserver
- Status changed from New to In Progress
- Assignee set to Guilhem Moulin
- Target version set to Q2/2020
This is being done as we upgrade our HTTPd (TLS termination proxy) to Debian Buster, with a 1 year expiration time and the includeSubDomains flag set:
$ curl -sI https://wiki.documentfoundation.org | grep -i Strict-Transport-Security: strict-transport-security: max-age=31557600; includeSubDomains
Didn't hear any complain about our TLS endpoints or X.509 PKI, so was waaay past time to deploy HSTS. Thanks to Let's Encrypt and ACME certificate rollout is easy (at least until we deploy HPKP too) and should something go bad, the fix wouldn't be to downgrade to plaintext connections, but to fix our TLS endpoint or PKI.
All services hosted on Debian 10 have been dealt with already. That includes the wiki, blog, AskBot, Matomo, Online Help, and more. Other will be dealt with as part of the upgrade path.
Updated by Florian Effenberger over 3 years ago
- Status changed from In Progress to Closed
Work is done in Satl states, majority of sites handled, rollout will happen automatically with the base OS upgrades