[
https://ovirt-jira.atlassian.net/browse/OVIRT-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33023#comment-33023
]
Marc Dequènes (Duck) commented on OVIRT-1231:
---------------------------------------------
So, the only place using it is the new ML3 server, which is on production only
for redirects. We're currently using the 'httpd' Ansible role to deploy the
configuration, which activates it. The role also activates 'includeSubDomains';
this is a desired setting but only when all the vhosts on the domain are able
to do HTTPS. This is not the case on all oVirt infra yet so it was deactivated
manually at some point IIRC.
So, this solution is not perfect but avoiding protocol downgrade is already a
very important protection and we should use it. We should also use
'includeSubDomains' too when all our vhosts are ready. And we must not create
new vhosts without HTTPS support even for testing. Here are my recommendations.
> Security: do we need HSTS for oVirt services?
> ---------------------------------------------
>
> Key: OVIRT-1231
> URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1231
> Project: oVirt - virtualization made easy
> Issue Type: New Feature
> Reporter: eedri
> Assignee: infra
>
> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> Most of the browsers already supports it and some websites started to enforce
> it.
> cc [~dfediuck]
--
This message was sent by Atlassian JIRA
(v1000.1092.0#100053)
_______________________________________________
Infra mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/infra
