FS#43507 - {website} Strict-Transport-Security header is not set
Attached to Project:
Arch Linux
Opened by Thiago Coutinho (thiagoc) - Monday, 19 January 2015, 13:35 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 August 2017, 22:11 GMT
Opened by Thiago Coutinho (thiagoc) - Monday, 19 January 2015, 13:35 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 August 2017, 22:11 GMT
|
Details
"HTTP Strict Transport Security (HSTS) is an opt-in security
enhancement that is specified by a web application through
the use of a special response header."
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Thursday, 03 August 2017, 22:11 GMT
Reason for closing: Implemented
Additional comments about closing: We now use HSTS and are on the preload list: https://lists.archlinux.org/pipermail/ar ch-dev-public/2017-January/028672.html
Thursday, 03 August 2017, 22:11 GMT
Reason for closing: Implemented
Additional comments about closing: We now use HSTS and are on the preload list: https://lists.archlinux.org/pipermail/ar ch-dev-public/2017-January/028672.html
Please note that per the RFC the header should only be served over HTTPS and also please submit AL.org to https://hstspreload.appspot.com/
https://www.ssllabs.com/ssltest/analyze.html?d=archlinux.org is looking nice otherwise, good job :]