[ https://ovirt-jira.atlassian.net/browse/OVIRT-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33023#comment-33023 ] Marc Dequènes (Duck) commented on OVIRT-1231: --------------------------------------------- So, the only place using it is the new ML3 server, which is on production only for redirects. We're currently using the 'httpd' Ansible role to deploy the configuration, which activates it. The role also activates 'includeSubDomains'; this is a desired setting but only when all the vhosts on the domain are able to do HTTPS. This is not the case on all oVirt infra yet so it was deactivated manually at some point IIRC. So, this solution is not perfect but avoiding protocol downgrade is already a very important protection and we should use it. We should also use 'includeSubDomains' too when all our vhosts are ready. And we must not create new vhosts without HTTPS support even for testing. Here are my recommendations.

Security: do we need HSTS for oVirt services? ---------------------------------------------

Key: OVIRT-1231 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1231 Project: oVirt - virtualization made easy Issue Type: New Feature Reporter: eedri Assignee: infra

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Most of the browsers already supports it and some websites started to enforce it. cc [~dfediuck]

-- This message was sent by Atlassian JIRA (v1000.1092.0#100053)