Project

General

Profile

Actions

Task #1086

closed

enable HTTP Strict Transport Security

Added by Florian Effenberger almost 10 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Category:
Webserver
Target version:
Team - Q2/2020
Start date:
Due date:
% Done:

0%

Tags:
Salt

Description

We should think about enabling HTTP Strict Transport Security

Actions #1

Updated by Alexander Werner almost 10 years ago

  • Tags EasyHack, Salt added
Actions #2

Updated by Guilhem Moulin almost 5 years ago

  • Category set to Webserver
  • Status changed from New to In Progress
  • Assignee set to Guilhem Moulin
  • Target version set to Q2/2020

This is being done as we upgrade our HTTPd (TLS termination proxy) to Debian Buster, with a 1 year expiration time and the includeSubDomains flag set:

$ curl -sI https://wiki.documentfoundation.org | grep -i Strict-Transport-Security:
strict-transport-security: max-age=31557600; includeSubDomains

Didn't hear any complain about our TLS endpoints or X.509 PKI, so was waaay past time to deploy HSTS. Thanks to Let's Encrypt and ACME certificate rollout is easy (at least until we deploy HPKP too) and should something go bad, the fix wouldn't be to downgrade to plaintext connections, but to fix our TLS endpoint or PKI.

All services hosted on Debian 10 have been dealt with already. That includes the wiki, blog, AskBot, Matomo, Online Help, and more. Other will be dealt with as part of the upgrade path.

Actions #3

Updated by Guilhem Moulin almost 5 years ago

  • Tags deleted (EasyHack)
Actions #4

Updated by Florian Effenberger over 4 years ago

  • Status changed from In Progress to Closed

Work is done in Satl states, majority of sites handled, rollout will happen automatically with the base OS upgrades

Actions

Also available in: Atom PDF