Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set HSTS max-age to 15768000 #402

Merged
merged 2 commits into from
Mar 6, 2024
Merged

Set HSTS max-age to 15768000 #402

merged 2 commits into from
Mar 6, 2024

Conversation

jbickar
Copy link
Contributor

@jbickar jbickar commented Mar 4, 2024
edited
Loading

READY FOR REVIEW

Summary

  • Per discussion in Slack, improve SSL Labs score from A to A+

Review By (Date)

  • Meh, whenever

Criticality

  • How critical is this PR on a 1-10 scale? 1/10

Review Tasks

Setup tasks and/or behavior to test

  1. Deploy this branch to a dev/test environment
  2. Run https://www.ssllabs.com/ssltest/ on the hostname and see what score you get

@jbickar jbickar requested a review from sherakama March 4, 2024 18:50
@sherakama
Copy link
Member

sherakama commented Mar 4, 2024
edited
Loading

@jbickar What are your thoughts on bumping this up to 1 year and submitting to https://hstspreload.org/?

@jbickar
Copy link
Contributor Author

jbickar commented Mar 4, 2024

I don't have a problem with it philosophically. I don't know the application well enough to know if that's a risk; my hunch says it's not. https://hstspreload.org/ suggests ramping up the max-age in stages and ultimately increasing to max-age=63072000; includeSubDomains; preload

@jbickar
Copy link
Contributor Author

jbickar commented Mar 4, 2024

I would say since you're already using HSTS and you haven't had any user complaints, it doesn't seem risky.

@jbickar
Copy link
Contributor Author

jbickar commented Mar 5, 2024

It looks like we've been using it on all sites since 2020, so preloading and a long max-age seems good by me.

sherakama
sherakama reviewed Mar 5, 2024
View reviewed changes
netlify.toml
@@ -14,7 +14,7 @@
Content-Security-Policy = "form-action https:"
X-Content-Type-Options = "nosniff"
Referrer-Policy = "origin-when-cross-origin"
Strict-Transport-Security = "max-age=2592000"
Strict-Transport-Security = "max-age=31536000"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

31 meelyon

This was referenced Mar 5, 2024
Merged
Merged
@sherakama
Copy link
Member

Moving forward with 1 year. Thanks @jbickar

@sherakama sherakama merged commit 1bd184e into dev Mar 6, 2024
5 checks passed
@sherakama sherakama deleted the jbickar-patch-1 branch March 6, 2024 17:28
@jbickar
Copy link
Contributor Author

jbickar commented Mar 7, 2024

That is some ... A+ work.

@yvonnetangsu yvonnetangsu mentioned this pull request Mar 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sherakama sherakama sherakama left review comments

Assignees

@sherakama sherakama

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jbickar @sherakama