Bug #38764: Enforce HTTPS on tracker.ceph.com - www.ceph.com - Ceph

Actions

Copy link

Bug #38764

closed

Enforce HTTPS on tracker.ceph.com

Added by Ernesto Puerta about 5 years ago. Updated almost 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

David Galloway

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

1 - critical

Reviewed:

Affected Versions:

ceph-qa-suite:

Crash signature (v1):

Crash signature (v2):

Description

ceph.com already redirects to secure endpoint and sets CSP upgrade-insecure-request (https://www.w3.org/TR/upgrade-insecure-requests/).

However tracker.ceph.com does not follow this practice, so if you miss adding the trailing -s or the plaint-text one gets cached in your browser history, you'll end up regularly sending your password/session cookies unencrypted on the wire. Could it be possible to enable HSTS or at least CSP in the Ceph tracker, and request addition to browser HSTS preload list (https://hstspreload.org)?

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Infrastructure » www.ceph.com

Custom queries

Bug #38764

Enforce HTTPS on tracker.ceph.com

Updated by David Galloway almost 5 years ago