[wp-meta] [Making WordPress.org] #5898: Setting HSTS at WordPress domains
Making WordPress.org
noreply at wordpress.org
Tue Sep 14 01:16:44 UTC 2021
#5898: Setting HSTS at WordPress domains
---------------------------+---------------------
Reporter: JavierCasares | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: SSL | Resolution:
Keywords: |
---------------------------+---------------------
Comment (by dd32):
Just noting that we've had this running on the main WordPress.org domain
since early 2015, with a short timeout:
{{{
$ curl -Is https://wordpress.org/ | grep ^Strict
Strict-Transport-Security: max-age=360
}}}
This wasn't applied to other resources, as at the time we weren't sure if
it would have any downsides or cause problems. That's also the reason for
the low timeout.
There's no reason why we can't expand where this is set, although we'd
probably keep it off `api.wordpress.org` which is deliberately accessible
over HTTP for older WordPress installations (although, they wouldn't
respect the header anyway. But it's more to be clear that it is
intentionally available over HTTP).
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5898#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list