Ticket #1365 (new enhancement)
Opened 11 years ago
shellinabox should set HSTS flag
Reported by: | geofft | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | The Distant Future |
Component: | linerva | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
We should use HTTP Strict Transport Security to work around some possible MITMs against users who just type in linerva.mit.edu or athena.dialup.mit.edu, with no explicit protocol, into their browser. This involves setting a header in the HTTPS response that causes the site to always be accessed over HTTPS, and redirecting from HTTP to HTTPS.
This is very slightly more complicated for Linerva since we currently have a home page that is at least slightly interesting (e.g., I find it nice that people curious about traffic originating from Linerva can see a website). But this can be solved by making the link at the top of the SIAB page a little more prominent. For athena.dialup, HTTP already redirects to HTTPS.