Preload HSTS for `gitpod.io`

gitpod-io / gitpod

The developer platform for on-demand cloud development environments to create software faster and more securely.

https://www.gitpod.io

GNU Affero General Public License v3.0

12.98k stars 1.24k forks source link

Preload HSTS for `gitpod.io` #17557

Closed lgarron closed 5 months ago

lgarron commented 1 year ago

Description

I see that www.gitpod.io is serving:

> curl --silent -I "https://www.gitpod.io" | grep "strict"
strict-transport-security: max-age=31536000; includeSubDomains; preload

However, gitpod.io is serving:

> curl --silent -I "https://gitpod.io" | grep "strict"
strict-transport-security: max-age=31536000

It would be great to send the same header for gitpod.io, so that all gitpod.io subdomains can be protected from HTTP tampering and HTTPS downgrade attacks through HSTS preloading: https://hstspreload.org/?domain=gitpod.io

lgarron commented 1 year ago

I'd send a pull request, but this codebase only seems to serve the response for "https://www.gitpod.io".

axonasif commented 1 year ago

Hi @lgarron ! Thanks for raising this and offering to help ✨

but this codebase only seems to serve the response for "https://www.gitpod.io".

https://gitpod.io would be based on https://github.com/gitpod-io/gitpod AFAIK.

lgarron commented 1 year ago

https://gitpod.io would be based on https://github.com/gitpod-io/gitpod AFAIK.

Thanks! Any chance I could ask you to move the issue there?

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.