Libravatar (obsolete)

Include an HSTS header in the 301 redirect from https://libravatar.org

Bug #1355378 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Confirmed
High
Unassigned

Bug Description

As discussed in https://garron.net/crypto/hsts/hsts-2013.pdf, we should close the MITM opportunity when users type "libravatar.org" in their URL bar by adding HSTS headers in the 301 redirect from https://libravatar.org.

Tags: hsts security
Revision history for this message
François Marier (fmarier) wrote :

mod_alias doesn't normally add headers to non-200 response. That's why we'll need to use the "always" condition:

  Header always add Strict-Transport-Security: "max-age=15768000"

(via http://serverfault.com/questions/173038/apache-redirect-and-set-cache-headers#answer-185191)

François Marier (fmarier)
Changed in libravatar:
assignee: François Marier (fmarier) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.