Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): update HSTS to 31536000 #2010

Merged
merged 1 commit into from
Jul 30, 2019
Merged

fix(security): update HSTS to 31536000 #2010

merged 1 commit into from
Jul 30, 2019

Conversation

chenba
Copy link
Contributor

@chenba chenba commented Jul 30, 2019
edited
Loading

Update HSTS to the value asked on the Security Checklist.

For consistency, I'm updating all the HSTS max-age values in the monorepo.

Part of #1128

@mozilla/fxa-devs r>

@chenba
fix(security): update HSTS to 31536000
8c49ee2 
Update HSTS to the value asked on the Security Checklist.

Part of mozilla#1128

reorder props
@chenba chenba force-pushed the 1128-update-hsts branch from 7f63517 to 8c49ee2 Compare July 30, 2019 18:55
lmorchard
lmorchard approved these changes Jul 30, 2019
View reviewed changes
Copy link
Contributor

@lmorchard lmorchard left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - though I wonder why it was at 180 days instead of a year?

I'm fuzzy on understanding HSTS. I think this means, when set to one year, that we cannot disable HSTS for one year. (i.e. we can't go back to serving things as non-SSL http://) But that seems okay because we will never want to disable HSTS - does that seem correct?

@chenba
Copy link
Contributor Author

chenba commented Jul 30, 2019

We can force it to expire by setting 0. But like you said, I don't see why we'd want to do that.

@chenba chenba merged commit 6314a04 into mozilla:master Jul 30, 2019
@shane-tomlinson
Copy link
Contributor

I'm not sure why we weren't at 1 year, and it seems like we should add subscriptions.firefox.com to the HSTS preload list. We aren't sending the preload parameter in the header either, strange.

@jrgm - does anything need to be added to the nginx config to update hsts values?

@shane-tomlinson
Copy link
Contributor

We aren't sending the preload parameter in the header either, strange.

accounts.firefox.com and its subdomains are pre-loaded, @jrgm and @fmarier did the grunt work long ago.

@shane-tomlinson
Copy link
Contributor

Ref https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?pathrev=290628#l818

@shane-tomlinson
Copy link
Contributor

shane-tomlinson commented Aug 1, 2019
edited
Loading

mozilla/fxa-content-server#208 on why we set to 180 days, I note that value was "tentative".

@shane-tomlinson shane-tomlinson mentioned this pull request Aug 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmorchard lmorchard lmorchard approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chenba @shane-tomlinson @lmorchard