Use HSTS on the root persona.org domain?

[pdehaan]

via https://www.expeditedssl.com/simple-ssl-scanner/scan?target_domain=persona.org

Site uses HSTS

HTTP Strict Transport Security (HSTS) is a HTTP response header that is set on your web application server. Supporting browsers read the header which contains an expiration max-age value and will NOT reconnect on a plain HTTP connection until the max-age value is exceeded. HSTS prevents a variety of attacks where an intermediary could disrupt or spoof connections.

More HSTS information at: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[seanmonstar]

https://github.com/mozilla/persona/blob/dev/bin/browserid#L86 ?

[pdehaan]

:shrug: It looks like our lil' Stooge tool is reporting HSTS issues w/ www.persona.org as well.

[jrgm]

The domain that matters is login.persona.org and its subdomains.

[seanmonstar]

Oh right, www.persona.org is a static site built from https://github.com/mozilla/persona.org. The headers could be fiddled by @gene1wood

[pdehaan]

Ah yes, I think i just said persona.org and it probably defaulted to www.

login.persona.org gets 5/5! #goteam https://www.expeditedssl.com/simple-ssl-scanner/scan?target_domain=login.persona.org

Feel free to punt this into the z-never abyss or just closing since it's just a static page.

[callahad]

The mass-closing script misfired, but I'm going to keep this closed, per @pdehaan's suggestion. What matters is login.persona.org, nothing else references the apex or www domains.