Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/website,x/gddo: enable HSTS for godoc.org and golang.org #26162

Open
lgarron opened this issue Jun 30, 2018 · 5 comments
Open

x/website,x/gddo: enable HSTS for godoc.org and golang.org #26162

lgarron opened this issue Jun 30, 2018 · 5 comments
Labels
help wanted NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@lgarron
Copy link

lgarron commented Jun 30, 2018

godoc.org uses HTTPS. It would be great to increase protection by implementing HSTS and preloading: https://hstspreload.org/?domain=godoc.org

This is especially valuable for godoc.org, since URLs are designed to be easily constructed (from other URLs) by hand and not everyone might add/keep the HTTPS scheme when they do so.

cc @FiloSottile
@lgarron
Copy link
Author

lgarron commented Jun 30, 2018

It seems the godoc.org server is constructed at

https://github.com/golang/gddo/blob/9ab275bde8fe1bb887642e9250b8d58aba11af61/gddo-server/main.go#L850

but I'm not sure about the best place to add a new header.

@agnivade
Copy link
Contributor

If this is just about godoc.org, I believe issues about that are tracked on that repo.

I also checked golang.org which seems to be missing the includeSubDomains directive, but it does have the preload header though.

@odeke-em odeke-em changed the title HSTS for godoc.org x/gddo: HSTS for godoc.org Jul 2, 2018
@gopherbot gopherbot added this to the Unreleased milestone Jul 2, 2018
@FiloSottile
Copy link
Contributor

I suggested opening an issue here so that we can do godoc and golang.org at the same time.

@agnivade agnivade changed the title x/gddo: HSTS for godoc.org website,x/gddo: enable HSTS for godoc.org and golang.org Jul 3, 2018
@agnivade
Copy link
Contributor

agnivade commented Jul 3, 2018

Ah alright. ping @andybons for golang.org.

@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 3, 2018
@gopherbot
Copy link

Change https://golang.org/cl/122175 mentions this issue: cmd/godoc,cmd/tip: enable HSTS

@AlphaWong AlphaWong mentioned this issue Jul 4, 2018
Open
gopherbot pushed a commit to golang/tools that referenced this issue Jul 6, 2018
@agnivade @bradfitz
cmd/godoc,cmd/tip: enable HSTS preload
4358783 
Add the includeSubDomains directive to meet the requirements
for being added to the preload list described at https://hstspreload.org/.

Updates golang/go#26162

Change-Id: I415775aa523bcef3a52f1853de033f343b914e83
Reviewed-on: https://go-review.googlesource.com/122175
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@seankhliao seankhliao changed the title website,x/gddo: enable HSTS for godoc.org and golang.org x/website,x/gddo: enable HSTS for godoc.org and golang.org Mar 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@lgarron @andybons @FiloSottile @agnivade @gopherbot