enable HTTP Strict Transport Security
We should think about enabling HTTP Strict Transport Security
Updated by Guilhem Moulin about 1 year ago
- Category set to Webserver
- Status changed from New to In Progress
- Assignee set to Guilhem Moulin
- Target version set to Q2/2020
This is being done as we upgrade our HTTPd (TLS termination proxy) to Debian Buster, with a 1 year expiration time and the
includeSubDomains flag set:
$ curl -sI https://wiki.documentfoundation.org | grep -i Strict-Transport-Security: strict-transport-security: max-age=31557600; includeSubDomains
Didn't hear any complain about our TLS endpoints or X.509 PKI, so was waaay past time to deploy HSTS. Thanks to Let's Encrypt and ACME certificate rollout is easy (at least until we deploy HPKP too) and should something go bad, the fix wouldn't be to downgrade to plaintext connections, but to fix our TLS endpoint or PKI.
All services hosted on Debian 10 have been dealt with already. That includes the wiki, blog, AskBot, Matomo, Online Help, and more. Other will be dealt with as part of the upgrade path.