Launchpad itself

Consider increasing HSTS max-age

Bug #1315503 reported by Bryan Quigley on 2014-05-02

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Low	Haw Loeung

Bug Description

Currently LP sends out a Strict Transport Security[1] saying only use HTTPS for the next 30 days [2]. Since I don't think we are going to change the HTTPS support for LP ever, I think we can definitely make it longer.

One added benefit once we get past a certain # of days (maybe 126, maybe 180) is that we can be preloaded as an HSTS site in Chrome and Firefox:
Chrome's post: http://www.chromium.org/sts
Firefox's: https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

My suggestion would either by 181 days or just do the max (1 year).

[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[2] https://www.ssllabs.com/ssltest/analyze.html?d=bugs.launchpad.net&s=91.189.89.225

Tags:

Related branches

lp:~hloeung/launchpad/increase-hsts-max-age

Merged into lp:launchpad at revision 17001

William Grant (community): Approve (code) on 2014-05-08

William Grant (wgrant) on 2014-05-08

Changed in launchpad:
assignee:	nobody → Haw Loeung (hloeung)
importance:	Undecided → Low
status:	New → In Progress
tags:	added: security trivial

Haw Loeung (hloeung) on 2014-05-08

Changed in launchpad:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2014-05-08:

Fixed in stable r17001 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/17001>.

tags:

added: qa-needstesting

Revision history for this message

Haw Loeung (hloeung) wrote on 2014-05-08:

GET / HTTP/1.1
Host: qastaging.launchpad.net

HTTP/1.1 200 OK
Date: Thu, 08 May 2014 11:39:15 GMT
Server: zope.server.http (HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
Content-Length: 23704
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000
Vary: Cookie,Authorization,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
X-Cache: MISS from arsenic.canonical.com
X-Cache-Lookup: HIT from arsenic.canonical.com:3128
Via: 1.0 arsenic.canonical.com:3128 (squid/2.7.STABLE7)
X-SCHEME: https

tags:

added: qa-ok
removed: qa-needstesting

Haw Loeung (hloeung) on 2014-05-12

Changed in launchpad:
status:	Fix Committed → Fix Released

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2014-05-13:

Thanks! Did anyone ask for the preload (see Chrome's post)? If not, I'll take care of it...

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2014-05-19:

In submitting to the preload list, I was asked if we want to do subdomains included too? I'm thinking we should (it can also be added to the header). Thoughts? Do we have any non-https subdomains off of lp.net?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.