Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTP strict transport security headers (HSTS) #2155

Open
rhymes opened this issue Mar 21, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@rhymes
Copy link
Collaborator

commented Mar 21, 2019

Is your feature request related to a problem? Please describe.

By playing with dev.to's report of Mozilla Observatory I noticed the website does not send HSTS headers.

The TLDR; of that is that the HSTS header forces the client to connect only using HTTPS (which is different from the server side redirect from HTTP to HTTPS).

Describe the solution you'd like

I'll summarise the recommended plan of action:

  1. all domains and subdomains of dev.to should be checked to make sure they all work in HTTPS (even those handled by third party like shop.dev.to)
  2. ramp up the max-age in steps, for example from max-age=300; includeSubDomains to a month: max-age=2592000; includeSubDomains
  3. once everything works you can set it the recommended two years max-age=63072000; includeSubDomains; preload and add the domain to the HSTS preload list

Header example:

Strict-Transport-Security: max-age=xyz

With Rails it would be enabled like this:

config.ssl_options = { hsts: { expires: 5.minutes } }

Options to enable subdomains and preload are also present.

Resources:

Describe alternatives you've considered

Doing nothing :D

@triage-new-issues triage-new-issues bot added the triage label Mar 21, 2019

@aspittel

This comment has been minimized.

Copy link
Collaborator

commented Mar 22, 2019

Hey @rhymes! Thanks for pointing this out -- will definitely discuss this and get back to you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.