Project

General

Profile

Task #1086

enable HTTP Strict Transport Security

Added by Florian Effenberger almost 6 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Category:
Webserver
Target version:
Team - Q2/2020
Start date:
Due date:
% Done:

0%

Tags:
Salt
URL:

Description

We should think about enabling HTTP Strict Transport Security

History

#1

Updated by Alexander Werner almost 6 years ago

  • Tags EasyHack, Salt added
#2

Updated by Guilhem Moulin about 1 year ago

  • Category set to Webserver
  • Status changed from New to In Progress
  • Assignee set to Guilhem Moulin
  • Target version set to Q2/2020

This is being done as we upgrade our HTTPd (TLS termination proxy) to Debian Buster, with a 1 year expiration time and the includeSubDomains flag set:

$ curl -sI https://wiki.documentfoundation.org | grep -i Strict-Transport-Security:
strict-transport-security: max-age=31557600; includeSubDomains

Didn't hear any complain about our TLS endpoints or X.509 PKI, so was waaay past time to deploy HSTS. Thanks to Let's Encrypt and ACME certificate rollout is easy (at least until we deploy HPKP too) and should something go bad, the fix wouldn't be to downgrade to plaintext connections, but to fix our TLS endpoint or PKI.

All services hosted on Debian 10 have been dealt with already. That includes the wiki, blog, AskBot, Matomo, Online Help, and more. Other will be dealt with as part of the upgrade path.

#3

Updated by Guilhem Moulin about 1 year ago

  • Tags deleted (EasyHack)
#4

Updated by Florian Effenberger 6 months ago

  • Status changed from In Progress to Closed

Work is done in Satl states, majority of sites handled, rollout will happen automatically with the base OS upgrades

Also available in: Atom PDF