Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#43507 - {website} Strict-Transport-Security header is not set
Attached to Project:
Arch Linux
Opened by Thiago Coutinho (thiagoc) - Monday, 19 January 2015, 13:35 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 August 2017, 22:11 GMT
Opened by Thiago Coutinho (thiagoc) - Monday, 19 January 2015, 13:35 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 August 2017, 22:11 GMT
|
Details"HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header."
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Thursday, 03 August 2017, 22:11 GMT
Reason for closing: Implemented
Additional comments about closing: We now use HSTS and are on the preload list: https://lists.archlinux.org/pipermail/ar ch-dev-public/2017-January/028672.html
Thursday, 03 August 2017, 22:11 GMT
Reason for closing: Implemented
Additional comments about closing: We now use HSTS and are on the preload list: https://lists.archlinux.org/pipermail/ar ch-dev-public/2017-January/028672.html
Please note that per the RFC the header should only be served over HTTPS and also please submit AL.org to https://hstspreload.appspot.com/
https://www.ssllabs.com/ssltest/analyze.html?d=archlinux.org is looking nice otherwise, good job :]