Open FuhuXia opened 9 months ago
has some discussion in the #admin-dns slack channel.
I am against serving data.gov website at https://data.gov externally. That is how we lost control on the HSTS header. Instead, we should serve it at https://www.data.gov, and do a 301 redirect from https://data.gov (internally hosted) to https://www.data.gov (externally hosted), during the redirect we can add our own HSTS header.
All subdomains of
data.gov
appear to be preloaded according to the https://hstspreload.org/ check, probably thanks to DotGov Program HSTS Preloading program. But we keep getting false alarms from the monthly SecOps invicti scan reports complaining certain data.gov apps are not HSTS prelaoded. In order to convince SecOps all .data.gov (and *.\.data.gov) are preloaded, we can add theincludeSubDomains
directive to the data.gov top domain HSTS response header.As of now, we have HSTS header as
We would like it be:
strict-transport-security: max-age=31536000; preload; includeSubDomains
, as other gov domains do, such as cloud.gov and gsa.gov.Sketch
The other approach is to add the
includeSubDomains
directive to all individual data.gov apps such as catalog-dev.data.gov where we have full control on the nginx conf, but it does not work for apps like inventory.data.gov where we don't have access to nginx conf.