Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves. Rough steps: 1) Identify mozillians.org subdomains that don't yet support HTTPS and file dependant bugs to fix them. 2) Ensure the apex/root domain (https://mozillians.org/) serves an HSTS header that meets the requirements on https://hstspreload.org/ 3) Submit the domain using that same tool In the case of Mozillians I'm presuming subdomains aren't an issue since the apex domain already sets `includeSubdomains`, and so all is left is adding the `preload` directive to satisfy #2. $ curl -IL mozillians.org HTTP/1.1 301 Moved Permanently Content-Type: text/html Date: Wed, 29 Mar 2017 01:10:36 GMT Location: https://mozillians.org/ Connection: Keep-Alive Content-Length: 0 HTTP/1.1 301 MOVED PERMANENTLY Server: Apache X-Backend-Server: python3.webapp.phx1.mozilla.com Vary: Accept-Language,X-Mobile,User-Agent, Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Security-Policy: <SNIP> Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Wed, 29 Mar 2017 01:10:37 GMT Location: https://mozillians.org/en-US/ x-xss-protection: 1; mode=block Transfer-Encoding: chunked x-content-type-options: nosniff Connection: Keep-Alive X-Frame-Options: DENY X-Cache-Info: caching

(cc'ing :ericz) We are not handling HSTS headers in our codebase. I think that its implemented in the loadbalancer level. Regarding other domains, we are only using mozillians.org so I don't think we define any subdomains in our zone. :ericz Can you help us with this? Should I move this bug to another component?

I can't see the HSTS header being set anywhere in the IT puppet repo (eg the mozillians Apache config), so guessing it must be added by ZLB?

It's not set in Apache or Zeus as far as I can see, and I do see it when I hit the webhead directly so I believe it is coming from your app, can you check again please? [eziegenhorn@python1.webapp.phx1 ~]$ curl -sIH'Host: mozillians.org' localhost:81/en-US/ | grep -i strict Strict-Transport-Security: max-age=31536000; includeSubDomains [eziegenhorn@python1.webapp.phx1 ~]$ grep -i strict /etc/httpd/mozilla/domains/mozillians.org.conf [eziegenhorn@python1.webapp.phx1 ~]$

You are right, I was grepping the wrong middleware. Apparently we are handling this: > $ grep -R "StrictTransportMiddleware" mozillians > mozillians/settings/base.py: 'commonware.response.middleware.StrictTransportMiddleware'

That comes from: https://github.com/jsocol/commonware/blob/392213bb3afdc409fe0c907cc3a2726767756b22/commonware/response/middleware.py#L42-L58 ...which doesn't support the `preload` directive. Django actually now supports most of the things that package provides (and that package isn't maintained), so I'd recommend switching away from it in the future. I added support for the `preload` directive to Django 1.11 (soon to be released), but that doesn't help here. Short term I'd suggest just adding a custom middleware to the repo cribbed from the Django 1.11 version: https://github.com/django/django/blob/stable/1.11.x/django/middleware/security.py#L31-L38

Commit pushed to master at https://github.com/mozilla/mozillians https://github.com/mozilla/mozillians/commit/8d32ef8ec2b97e5b26dd6631f81a2da23471e70b [Fix bug 1351514] Add custom middleware to allow HSTS preloading.

Many thanks! Looks good on dev: $ curl -IsSf https://mozillians-dev.allizom.org/ | grep -i strict strict-transport-security: max-age=31536000; includeSubDomains; preload Reopening bug since once on prod the site will need submitting using the form here: https://hstspreload.org/?domain=mozillians.org

Sounds good. I will make sure to submit the form when it reaches prod and close that bug.

Closing this bug after submitting the form.