Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 438679

Summary: Enable HSTS (HTTP Strict Transport Security) on this Bugzilla
Product: Community Reporter: Tim Li <fn84b>
Component: BugzillaAssignee: Eclipse Webmaster <webmaster>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: denis.roy, fn84b
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Tim Li CLA 2014-07-02 02:51:47 EDT 
This Bugzilla requires HTTPS connections (http://bugs.eclipse.org redirects to https://bugs.eclipse.org), so could we send a "Strict-Transport-Security: max-age=31536000" header, so that browsers will automatically use HTTPS even if a link points to HTTP?
Comment 1 Eclipse Webmaster CLA 2014-07-17 14:51:02 EDT 
Done.

-M.
Comment 2 Tim Li CLA 2014-08-15 03:59:00 EDT 
Currently the max-age is set to be 1728000 (20 days). Could we raise that value to 1 year (31536000) or longer? The Wikipedia article [1] says "it is recommended to set the max-age to a big value like 31536000 (12 months) or 63072000 (24 months)". Also Qualys SSL Labs [2] warns "max-age=1728000   TOO SHORT (less than 180 days)".

[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Implementation
[2] https://www.ssllabs.com/ssltest/analyze.html?d=bugs.eclipse.org
Comment 3 Denis Roy CLA 2014-08-15 11:05:07 EDT 
I've set it to 63072000 (2 years).  The setting should propagate shortly.  Matt, was there any specific reason why you went with 20 days?
Comment 4 Eclipse Webmaster CLA 2014-08-15 16:18:17 EDT 
I read through the RFC[1] and my take away was there wasn't any particular advantage to a longer duration,  So I decided to deploy it with a constant date in the future(so in theory clients will always update how long they 'trust' the site).  I figured if you hadn't visited us once in 20 days having your browser make sure everything was ok was a safe choice.

-M.

[1]http://tools.ietf.org/html/rfc6797
Comment 5 Denis Roy CLA 2014-08-26 14:06:16 EDT 
Let's leave it as-is.  I can't foresee shuffling Bugzilla over plain http anytime soon anyway.