Include an HSTS header in the 301 redirect from https://libravatar.org

Bug #1355378 reported by François Marier on 2014-08-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar
High
Unassigned

Bug Description

As discussed in https://garron.net/crypto/hsts/hsts-2013.pdf, we should close the MITM opportunity when users type "libravatar.org" in their URL bar by adding HSTS headers in the 301 redirect from https://libravatar.org.

François Marier (fmarier) wrote :

mod_alias doesn't normally add headers to non-200 response. That's why we'll need to use the "always" condition:

  Header always add Strict-Transport-Security: "max-age=15768000"

(via http://serverfault.com/questions/173038/apache-redirect-and-set-cache-headers#answer-185191)

Changed in libravatar:
assignee: François Marier (fmarier) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers