Enforce HSTS on all SSL pages
Open, HighPublic

Description

I propose we pull the trigger and enable HSTS on many of our sites; we already force them anyway by doing a soft 302 redirect, but really we should set HSTS flags.

This includes things like

  • www.h.o and new-www.h.o
  • ghc.haskell.org AKA Trac
  • Phabricator
  • Monitor/Nagios

Planet and Hackage may have to stick around with HTTP availble to not interrupt existing clients.

austin created this task.Jul 12 2014, 7:10 PM
austin claimed this task.
austin added projects: Haskell.org Infrastructure, Restricted Project.
austin added a subscriber: austin.
hvr added a subscriber: hvr.EditedSep 14 2014, 3:20 AM

I've configured https://ghc.haskell.org/ to emit the HSTS header

austin added a subscriber: Haskell.org Infrastructure.

Merged in old task. We still need to do this to finish the CloudFlare migration really (because we want it to talk to SSL on the backend and enforce proper headers). Copying old link:

https://wiki.mozilla.org/Security/Server_Side_TLS

austin changed the visibility from "All Users" to "Public (No Login Required)".Oct 25 2014, 3:15 AM
austin changed the edit policy from "All Users" to "Haskell.org Infrastructure (Project)".

https://status.haskell.org now always redirects to HTTPS, thanks to the fact CloudFlare can route it for us.

this is done for www.haskell.org. dunno what's left.