Ticket #1365 (new enhancement)

Opened 6 years ago

shellinabox should set HSTS flag

Reported by: geofft Owned by:
Priority: normal Milestone: The Distant Future
Component: linerva Keywords:
Cc: Fixed in version:
Upstream bug:

Description

We should use  HTTP Strict Transport Security to work around some possible MITMs against users who just type in linerva.mit.edu or athena.dialup.mit.edu, with no explicit protocol, into their browser. This involves setting a header in the HTTPS response that causes the site to always be accessed over HTTPS, and redirecting from HTTP to HTTPS.

This is very slightly more complicated for Linerva since we currently have a home page that is at least slightly interesting (e.g., I find it nice that people curious about traffic originating from Linerva can see a website). But this can be solved by making the link at the top of the SIAB page a little more prominent. For athena.dialup, HTTP already redirects to HTTPS.

Note: See TracTickets for help on using tickets.