FS#43507 : {website} Strict-Transport-Security header is not set

FS#43507 - {website} Strict-Transport-Security header is not set

Attached to Project: Arch Linux
Opened by Thiago Coutinho (thiagoc) - Monday, 19 January 2015, 13:35 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 03 August 2017, 22:11 GMT

Task Type	Feature Request
Category	Web Sites
Status	Closed
Assigned To	Pierre Schmitz (Pierre) Dan McGee (toofishes)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 trendkiller (trendkiller) (2016-08-09) Jens Adam (byte) (2016-02-14)
Private	No

Details

"HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header."

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

This task depends upon

Closed by Eli Schwartz (eschwartz)
Thursday, 03 August 2017, 22:11 GMT
Reason for closing: Implemented
Additional comments about closing: We now use HSTS and are on the preload list: https://lists.archlinux.org/pipermail/ar ch-dev-public/2017-January/028672.html

Comment by Jens Adam (byte) - Sunday, 14 February 2016, 21:32 GMT

I've recently finished implementing several HTTP/TLS-related tweaks on domains under my control and yes, https://securityheaders.io/?q=https%3A%2F%2Fwww.archlinux.org%2F should be improved.
Please note that per the RFC the header should only be served over HTTPS and also please submit AL.org to https://hstspreload.appspot.com/
https://www.ssllabs.com/ssltest/analyze.html?d=archlinux.org is looking nice otherwise, good job :]

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#43507 - {website} Strict-Transport-Security header is not set

Details

Loading...