Consider increasing HSTS max-age
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Low
|
Haw Loeung |
Bug Description
Currently LP sends out a Strict Transport Security[1] saying only use HTTPS for the next 30 days [2]. Since I don't think we are going to change the HTTPS support for LP ever, I think we can definitely make it longer.
One added benefit once we get past a certain # of days (maybe 126, maybe 180) is that we can be preloaded as an HSTS site in Chrome and Firefox:
Chrome's post: http://
Firefox's: https:/
My suggestion would either by 181 days or just do the max (1 year).
[1] https:/
[2] https:/
Related branches
- William Grant (community): Approve (code)
- Diff: 0 lines
Changed in launchpad: | |
assignee: | nobody → Haw Loeung (hloeung) |
importance: | Undecided → Low |
status: | New → In Progress |
tags: | added: security trivial |
Changed in launchpad: | |
status: | In Progress → Fix Committed |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Fixed in stable r17001 <http:// bazaar. launchpad. net/~launchpad- pqm/launchpad/ stable/ revision/ 17001>.