Specify includeSubDomains directive in data.gov HSTS response header #4575
Comments
gujral-rei
added
the
security
1 task
|
has some discussion in the #admin-dns slack channel. |
|
I am against serving data.gov website at https://data.gov externally. That is how we lost control on the HSTS header. Instead, we should serve it at https://www.data.gov, and do a 301 redirect from https://data.gov (internally hosted) to https://www.data.gov (externally hosted), during the redirect we can add our own HSTS header. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All subdomains of
data.govappear to be preloaded according to the https://hstspreload.org/ check, probably thanks to DotGov Program HSTS Preloading program. But we keep getting false alarms from the monthly SecOps invicti scan reports complaining certain data.gov apps are not HSTS prelaoded. In order to convince SecOps all *.data.gov (and *.*.data.gov) are preloaded, we can add theincludeSubDomainsdirective to the data.gov top domain HSTS response header.As of now, we have HSTS header as
We would like it be:
strict-transport-security: max-age=31536000; preload; includeSubDomains, as other gov domains do, such as cloud.gov and gsa.gov.Sketch
The other approach is to add the
includeSubDomainsdirective to all individual data.gov apps such as catalog-dev.data.gov where we have full control on the nginx conf, but it does not work for apps like inventory.data.gov where we don't have access to nginx conf.The text was updated successfully, but these errors were encountered: