FuhuXia
commented
8 months ago has some discussion in the #admin-dns slack channel.
Open FuhuXia opened 9 months ago
FuhuXia
commented
8 months ago has some discussion in the #admin-dns slack channel.
FuhuXia
commented
8 months ago I am against serving data.gov website at https://data.gov externally. That is how we lost control on the HSTS header. Instead, we should serve it at https://www.data.gov, and do a 301 redirect from https://data.gov (internally hosted) to https://www.data.gov (externally hosted), during the redirect we can add our own HSTS header.
All subdomains of
data.govappear to be preloaded according to the https://hstspreload.org/ check, probably thanks to DotGov Program HSTS Preloading program. But we keep getting false alarms from the monthly SecOps invicti scan reports complaining certain data.gov apps are not HSTS prelaoded. In order to convince SecOps all .data.gov (and *.\.data.gov) are preloaded, we can add theincludeSubDomainsdirective to the data.gov top domain HSTS response header.As of now, we have HSTS header as
We would like it be:
strict-transport-security: max-age=31536000; preload; includeSubDomains, as other gov domains do, such as cloud.gov and gsa.gov.Sketch
The other approach is to add the
includeSubDomainsdirective to all individual data.gov apps such as catalog-dev.data.gov where we have full control on the nginx conf, but it does not work for apps like inventory.data.gov where we don't have access to nginx conf.