Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

website,x/gddo: enable HSTS for godoc.org and golang.org #26162

Open
lgarron opened this issue Jun 30, 2018 · 5 comments

Comments

@lgarron
Copy link

commented Jun 30, 2018

godoc.org uses HTTPS. It would be great to increase protection by implementing HSTS and preloading: https://hstspreload.org/?domain=godoc.org

This is especially valuable for godoc.org, since URLs are designed to be easily constructed (from other URLs) by hand and not everyone might add/keep the HTTPS scheme when they do so.

cc @FiloSottile

@lgarron

This comment has been minimized.

Copy link
Author

commented Jun 30, 2018

It seems the godoc.org server is constructed at

https://github.com/golang/gddo/blob/9ab275bde8fe1bb887642e9250b8d58aba11af61/gddo-server/main.go#L850

but I'm not sure about the best place to add a new header.

@agnivade

This comment has been minimized.

Copy link
Member

commented Jun 30, 2018

If this is just about godoc.org, I believe issues about that are tracked on that repo.

I also checked golang.org which seems to be missing the includeSubDomains directive, but it does have the preload header though.

@odeke-em odeke-em changed the title HSTS for godoc.org x/gddo: HSTS for godoc.org Jul 2, 2018

@gopherbot gopherbot added this to the Unreleased milestone Jul 2, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jul 2, 2018

I suggested opening an issue here so that we can do godoc and golang.org at the same time.

@agnivade agnivade changed the title x/gddo: HSTS for godoc.org website,x/gddo: enable HSTS for godoc.org and golang.org Jul 3, 2018

@agnivade

This comment has been minimized.

Copy link
Member

commented Jul 3, 2018

Ah alright. ping @andybons for golang.org.

@gopherbot

This comment has been minimized.

Copy link

commented Jul 4, 2018

Change https://golang.org/cl/122175 mentions this issue: cmd/godoc,cmd/tip: enable HSTS

gopherbot pushed a commit to golang/tools that referenced this issue Jul 6, 2018
cmd/godoc,cmd/tip: enable HSTS preload
Add the includeSubDomains directive to meet the requirements
for being added to the preload list described at https://hstspreload.org/.

Updates golang/go#26162

Change-Id: I415775aa523bcef3a52f1853de033f343b914e83
Reviewed-on: https://go-review.googlesource.com/122175
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.