[[HTTP Strict Transport Security]] tells a user's browser to load all resources for a website over HTTPS, even if the resources are referenced with an "http://" URI. More information at http://www.imperialviolet.org/2012/07/19/hope9talk.html
See Also:
Change 202267 had a related patch set uploaded (by Chmarkine):
dbtree - Raise HSTS max-age to 1 year and add always flag
Change 202267 merged by Dzahn:
dbtree - Raise HSTS max-age to 1 year and add always flag
Change 206977 had a related patch set uploaded (by Chmarkine):
RT - Raise HSTS max-age to 1 year
Change 206979 had a related patch set uploaded (by Chmarkine):
donate - Raise HSTS max-age to 1 year
Change 206980 had a related patch set uploaded (by Chmarkine):
doc - Raise HSTS max-age to 1 year
Change 206981 had a related patch set uploaded (by Chmarkine):
integration - Raise HSTS max-age to 1 year
Change 206982 had a related patch set uploaded (by Chmarkine):
servermon - Raise HSTS max-age to 1 year
Change 206983 had a related patch set uploaded (by Chmarkine):
iegreview - Raise HSTS max-age to 1 year
Change 206984 had a related patch set uploaded (by Chmarkine):
annual - Raise HSTS max-age to 1 year and add "always"
Change 206992 had a related patch set uploaded (by Chmarkine):
ishmael - Raise HSTS max-age to 1 year and add "always"
Change 206984 merged by BBlack:
annual - Raise HSTS max-age to 1 year and add "always"
Change 206983 merged by BBlack:
iegreview - Raise HSTS max-age to 1 year and add "always"
Change 206992 merged by BBlack:
ishmael - Raise HSTS max-age to 1 year and add "always"
Why aren't the Vary and HSTS headers set for https://gdash.wikimedia.org, but are correctly set for http://gdash.wikimedia.org?
[1] https://phabricator.wikimedia.org/rOPUP2d42541477de7aca5d4f23ab87f60be90d0e1962
[2] https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org
For these requests the apache config has "SetHandler uwsgi-handler", which makes header set not work. https://uwsgi-docs.readthedocs.org/en/latest/Apache.html?highlight=assbackwards hints as this when it says "If you do not use Apache2 filters". The early keyword for headers might help. OTOH https://httpd.apache.org/docs/2.4/mod/mod_headers.html#early says "Always use Late mode in an operational server." so perhaps it is a better idea to use cgi instead of assbackwards mode of uwsgi.
Change 211394 had a related patch set uploaded (by Chmarkine):
transparency - Raise HSTS max-age to 1 year
Change 213976 had a related patch set uploaded (by Chmarkine):
noc - Raise HSTS max-age to 1 year
Change 217557 had a related patch set uploaded (by Chmarkine):
people - Raise HSTS max-age to 1 year
I noticed that HSTS was enabled for English Wikipedia following the announcements here. But why is the max-age only 1 day? Is that just for now while we test it out?
But why is the max-age only 1 day? Is that just for now while we test it out?
Probably yes. The ability to quickly assess and revert the change has been pointed out several times by ops on T49832.
Right. At this point for the primary clusters we're 1-3 day values for HSTS for the recently-HTTPS'd domains. We'll be raising those values slowly over time. HSTS is awesome, but also scary, because you can't really take that back once you've sent it to a client :)
Change 195444 abandoned by Chmarkine:
Enable HSTS on racktables with max-age=7days
Reason:
HSTS will be added to all services behind misc-web centrally.
Update on the above: we've been advertising a 6-month HSTS on all primary production sites since Jun 26. Does not include all "misc" services as noted above.
Change 222301 had a related patch set uploaded (by BBlack):
HSTS: increase to 1y, do not allow applayer override
Note: this is already the case with two exceptions:
I should've added:
This is done for all the reasonable cases we have direct control of. The external-ish ones are tracked in task T132521 and on wikitech at https://wikitech.wikimedia.org/wiki/HTTPS/domains