Ensure that HSTS headers are set for Production

[aweingarten]

Business Requirements

() As a user I want my site to be secure.

Technical Requirements

() Redirect bare domain to www. domain () deslash all requests at htaccess () Update the site to set HSTS headers for prod only. This maybe done via .htaccess

[timwood]

I think we still need a solution for https://github.com/Drupal4Gov/Drupal-GovCon-2016/issues/21, which is related. It appears CloudFlare is not in front of our site at this time, but I'm not 100% sure.

[timwood]

@aweingarten Fixed this by moving to a different CloudFlare account and tweaking the config, on production. Only last issue is that in the old code on production, the .htaccess contains the following:

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^drupalgovcon.org [NC]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Which is redirecting http://drupalgovcon.org/ to https://www.drupalgovcon.org/. For full HSTS preload eligibility we need http://drupalgovcon.org/ to redirect to https://drupalgovcon.org/, without the www. When testing locally (simulating production), our current D8 .htaccess config, in the new repo, is already correct for full preload eligibility. So once the D8 site rolls out, we can test again and submit it to preload below.

For reference: https://hstspreload.appspot.com/?domain=drupalgovcon.org