Closed
Bug 1351514
Opened 8 years ago
Closed 8 years ago
Add mozillians.org to the HSTS preload list
Categories
(Participation Infrastructure :: Phonebook, defect)
Participation Infrastructure
Phonebook
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: emorley, Assigned: nemo-yiannis)
References
Details
Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves.
Rough steps:
1) Identify mozillians.org subdomains that don't yet support HTTPS and file dependant bugs to fix them.
2) Ensure the apex/root domain (https://mozillians.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/
3) Submit the domain using that same tool
In the case of Mozillians I'm presuming subdomains aren't an issue since the apex domain already sets `includeSubdomains`, and so all is left is adding the `preload` directive to satisfy #2.
$ curl -IL mozillians.org
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Wed, 29 Mar 2017 01:10:36 GMT
Location: https://mozillians.org/
Connection: Keep-Alive
Content-Length: 0
HTTP/1.1 301 MOVED PERMANENTLY
Server: Apache
X-Backend-Server: python3.webapp.phx1.mozilla.com
Vary: Accept-Language,X-Mobile,User-Agent, Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Security-Policy: <SNIP>
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 29 Mar 2017 01:10:37 GMT
Location: https://mozillians.org/en-US/
x-xss-protection: 1; mode=block
Transfer-Encoding: chunked
x-content-type-options: nosniff
Connection: Keep-Alive
X-Frame-Options: DENY
X-Cache-Info: caching
Assignee | ||
Comment 1•8 years ago
|
||
(cc'ing :ericz)
We are not handling HSTS headers in our codebase. I think that its implemented in the loadbalancer level.
Regarding other domains, we are only using mozillians.org so I don't think we define any subdomains in our zone.
:ericz
Can you help us with this? Should I move this bug to another component?
Flags: needinfo?(eziegenhorn)
Reporter | ||
Comment 2•8 years ago
|
||
I can't see the HSTS header being set anywhere in the IT puppet repo (eg the mozillians Apache config), so guessing it must be added by ZLB?
Comment 3•8 years ago
|
||
It's not set in Apache or Zeus as far as I can see, and I do see it when I hit the webhead directly so I believe it is coming from your app, can you check again please?
[eziegenhorn@python1.webapp.phx1 ~]$ curl -sIH'Host: mozillians.org' localhost:81/en-US/ | grep -i strict
Strict-Transport-Security: max-age=31536000; includeSubDomains
[eziegenhorn@python1.webapp.phx1 ~]$ grep -i strict /etc/httpd/mozilla/domains/mozillians.org.conf
[eziegenhorn@python1.webapp.phx1 ~]$
Flags: needinfo?(eziegenhorn)
Assignee | ||
Comment 4•8 years ago
|
||
You are right, I was grepping the wrong middleware. Apparently we are handling this:
> $ grep -R "StrictTransportMiddleware" mozillians
> mozillians/settings/base.py: 'commonware.response.middleware.StrictTransportMiddleware'
Reporter | ||
Comment 5•8 years ago
|
||
That comes from:
https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L42-L58
...which doesn't support the `preload` directive.
Django actually now supports most of the things that package provides (and that package isn't maintained), so I'd recommend switching away from it in the future.
I added support for the `preload` directive to Django 1.11 (soon to be released), but that doesn't help here.
Short term I'd suggest just adding a custom middleware to the repo cribbed from the Django 1.11 version:
https://github.com/django/django/blob/stable/1.11.x/django/middleware/security.py#L31-L38
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → jgiannelos
Comment 6•8 years ago
|
||
Commit pushed to master at https://github.com/mozilla/mozillians
https://github.com/mozilla/mozillians/commit/8d32ef8ec2b97e5b26dd6631f81a2da23471e70b
[Fix bug 1351514] Add custom middleware to allow HSTS preloading.
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•8 years ago
|
||
Many thanks! Looks good on dev:
$ curl -IsSf https://mozillians-dev.allizom.org/ | grep -i strict
strict-transport-security: max-age=31536000; includeSubDomains; preload
Reopening bug since once on prod the site will need submitting using the form here:
https://hstspreload.org/?domain=mozillians.org
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 8•8 years ago
|
||
Sounds good. I will make sure to submit the form when it reaches prod and close that bug.
Assignee | ||
Comment 9•8 years ago
|
||
Closing this bug after submitting the form.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•