[Rack] forcing our hands w/ TLS by setting includeSubdomains on noisebridge.net HSTS
Patrick O'Doherty
p at trickod.com
Fri Apr 8 18:14:15 UTC 2016
all serivces will be configured to redirect http pages to their https
equivalent. once that's done the browser stores the HSTS status and
doesn't allow any plaintext http connections to start, it automatically
changes them to https.
NB: this is *already* the case for the noisebridge.net domain. Someone
(Andy?) mentioned that we're on a list of https-only domains baked into
the chromium project and were one of the original adopters of the header.
The change here is to extend this behavior to *all* our subdomains, such
that if anyone visits any noisbridge.net URL all further noisebridge.net
or *.noisebridge.net pages will always be loaded over HTTPS.
Rubin Abdi:
> What happens if someone types in http://noisebridge.net? There are plenty
> of links out there leading to us without SSL.
>
> On 8 April 2016 at 10:56, Patrick O'Doherty <p at trickod.com> wrote:
>
>> hey folks,
>>
>> Since the GA of LetsEncrypt I've wanted to make it a pattern that all
>> noisebridge services operate over TLS.
>>
>> It occurred to me this morning that we could theoretically force our own
>> hands with this by setting the includeSubdomains flag on the HSTS header
>> on noisebridge.net, meaning that any service that we run on a subdomain
>> *must* run over HTTPS. [0]
>>
>> I know there's a few subdomains like lists.noisebridge.net which would
>> need to be upgraded immediately, but I can take care of that.
>>
>> Is there any good reason *not* to do this?
>>
>> p
>>
>> [0] -
>>
>> https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
>>
>>
>> _______________________________________________
>> Rack mailing list
>> Rack at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/rack
>>
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/rack/attachments/20160408/c6c986af/attachment-0003.sig>
More information about the Rack
mailing list