[Rack] forcing our hands w/ TLS by setting includeSubdomains on noisebridge.net HSTS

Patrick O'Doherty p at trickod.com
Fri Apr 8 18:15:50 UTC 2016 

you can verify this behavior w/ curl

-> % curl -IL http://noisebridge.net
HTTP/1.1 302 Found
Date: Fri, 08 Apr 2016 18:15:29 GMT
Server: Apache/2.2.22 (Ubuntu)
Location: https://www.noisebridge.net/
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 08 Apr 2016 18:15:29 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.21
X-Content-Type-Options: nosniff
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-Modified: Fri, 08 Apr 2016 15:33:19 GMT
Content-Language: en
Strict-Transport-Security: max-age=15768000
Content-Type: text/html; charset=UTF-8

Rubin Abdi:
> What happens if someone types in http://noisebridge.net? There are plenty
> of links out there leading to us without SSL.
> 
> On 8 April 2016 at 10:56, Patrick O'Doherty <p at trickod.com> wrote:
> 
>> hey folks,
>>
>> Since the GA of LetsEncrypt I've wanted to make it a pattern that all
>> noisebridge services operate over TLS.
>>
>> It occurred to me this morning that we could theoretically force our own
>> hands with this by setting the includeSubdomains flag on the HSTS header
>> on noisebridge.net, meaning that any service that we run on a subdomain
>> *must* run over HTTPS. [0]
>>
>> I know there's a few subdomains like lists.noisebridge.net which would
>> need to be upgraded immediately, but I can take care of that.
>>
>> Is there any good reason *not* to do this?
>>
>> p
>>
>> [0] -
>>
>> https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
>>
>>
>> _______________________________________________
>> Rack mailing list
>> Rack at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/rack
>>
>>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/rack/attachments/20160408/e2634ebd/attachment-0003.sig>

More information about the Rack mailing list