Actions
Bug #38764
closedEnforce HTTPS on tracker.ceph.com
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):
Description
ceph.com already redirects to secure endpoint and sets CSP upgrade-insecure-request (https://www.w3.org/TR/upgrade-insecure-requests/).
However tracker.ceph.com does not follow this practice, so if you miss adding the trailing -s or the plaint-text one gets cached in your browser history, you'll end up regularly sending your password/session cookies unencrypted on the wire. Could it be possible to enable HSTS or at least CSP in the Ceph tracker, and request addition to browser HSTS preload list (https://hstspreload.org)?
Actions