bugzilla.mozilla.org is in the hsts preload list: https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc#485 however we don't set the preload attribute on the strict-transport-security header: Strict-transport-security: max-age=31536000; includeSubDomains

after chatting with april we need to make sure the the bmo subdomain is actually in the list, not just hardcoded into firefox and chrome. april - let us know if/when bmo is in the preload list, or if it isn't a possibility. thanks!

It's on the preload list. I had it added myself back in 2013. :) https://chromium.googlesource.com/chromium/src/net/+/4a1ac9d253158de5195b43c19f2db883e27f7ab2 Synced to Firefox in https://hg.mozilla.org/mozilla-central/diff/6cd6960ea7f6/security/manager/boot/src/nsSTSPreloadList.inc It is *not* HPKP preloaded, though. That should be done. The extra 'preload' flag is only needed if you're going through https://hstspreload.appspot.com/, but it wouldn't hurt to add it.

great - thanks reed. > It is *not* HPKP preloaded, though. That should be done. april raised hpkp with me in orlando; i 302'd to fubar. > The extra 'preload' flag is only needed if you're going through > https://hstspreload.appspot.com/, but it wouldn't hurt to add it. .. and it's a clear indicator that we're on the list and we don't need to revisit this again :)

Looks like bmo was added manually to the list some time ago, before the preload thing even existed. But, I agree that we should add preload to our header, just so we can be explicit about it. Also, I know that the Chrome manual HSTS was copied directly to Firefox, but I don't know if it gets loaded into Safari/Edge the same way. Reed, do you know if it does or not?

(In reply to April King from comment #4) > Also, I know that the Chrome manual HSTS was copied directly to Firefox, but > I don't know if it gets loaded into Safari/Edge the same way. Reed, do you > know if it does or not? Yeah, they both pull directly from Chromium's list. No idea how often, though. You can use SSL Labs for testing this. https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.mozilla.org&hideResults=on&latest Search for "HSTS Preloading" on that page, and you'll see that "Chrome Edge Firefox IE Tor" are all listed. Safari also uses the same list, and I believe you can test whether something is on their list by opening Safari at least once and then checking ~/Library/Cookies/HSTS.plist to see if the entry is present.

Since bugzilla.mozilla.org is already preloaded (via manual subdomain addition, normally not possible), I'm morphing this bug to be about adding the `preload` directive to the existing HSTS header per comment 4. I've filed bug 1351516 for preloading all of mozilla.org and bug 1351363 for tracking preloading of other apex domains too.