This pull request increases our Strict-Transport-Security duration to 1 week. This means that once a user visits our website (and their browser sees this header), they'll only be able to load *.dosomething.org sites over HTTPS. (For the past few weeks, HTTPS would only be forced for the following 5 minutes after a user visited the site.)
How should this be reviewed?
👀
Any background context you want to provide?
We're slowly ramping this up over time to make sure that we don't accidentally cause issues we can't fix (since the setting is stored on user's local machines and therefore there's no way to "undo" this aside from waiting the duration specified).
What's this PR do?
This pull request increases our
Strict-Transport-Securityduration to 1 week. This means that once a user visits our website (and their browser sees this header), they'll only be able to load*.dosomething.orgsites over HTTPS. (For the past few weeks, HTTPS would only be forced for the following 5 minutes after a user visited the site.)How should this be reviewed?
👀
Any background context you want to provide?
We're slowly ramping this up over time to make sure that we don't accidentally cause issues we can't fix (since the setting is stored on user's local machines and therefore there's no way to "undo" this aside from waiting the duration specified).
Relevant tickets
References Pivotal #174911098.
Checklist