Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable HSTS preloading #1

Open
wants to merge 2 commits into
base: development
from

Conversation

Projects
None yet
1 participant
@blueschu
Copy link
Owner

commented Jun 4, 2019

Relative date

While the Troop 89 website already implements HTTP Strict-Transport-Security (HSTS), it does not satisfy the requirements for HSTS preloading. According to Google Chrome's HSTS preload submission website, the Troop 89 website cannot currently be preloaded since:

  • The HSTS max-age value is too small (must be at least 31536000 seconds, or 1 year)
  • The HSTS header does not contain the 'preload' directive

Each of these requirements are trivially satisfied by configuring the SecurityMiddleware settings.

In release v0.15.0, the max-age value in the HSTS header was set to 1 month as the final step in Google's recommended deployment steps for HSTS preloading. If no issues arrive by the end of June 2019, this PR will be merged into development and the Troop 89 will be registered for HSTS preloading shortly after the next release.

blueschu added some commits Jun 2, 2019

Upgrade hsts max-age to 1 year
Set SECURE_HSTS_SECONDS to 31536000 seconds per the requirements of the
Google Chrome HSTS preload list. See https://hstspreload.org/ for more
details

@blueschu blueschu marked this pull request as ready for review Jun 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.