Today we merged two small changes [0][1] to the front proxy for
*.toolforge.org. These changes allowed us to close a 5 year old
feature request [2] asking for Toolforge to always use TLS (HTTPS) and
to also set a strict-transport-security header (HSTS) to tell web
browser that they should *always* use TLS when talking to a Toolforge
webservice.
Most of this has been happening for some time, but the final changes
were to increase the HSTS duration to one year (technically we
advertise 31,622,400 seconds which is 366 days) and to close the "POST
loophole". The "POST loophole" was created when TLS was first enforced
on Toolforge back in January 2019 [3]. It allowed HTTP requests with
the POST verb to continue without TLS encryption. This was done
because of unspecified behavior of clients (web browsers) when
receiving an HTTP "301 Permanent Redirect" response to a POST action.
A similar exception was originally made when the Wikimedia project
wikis were switched to always require TLS encryption.
We do not expect new issues with the use of Toolforge webservices as a
result of this change, but if you find something behaving badly as a
result please report it in Phabricator using the #Toolforge project
tag or join us in the #wikimedia-cloud Freenode IRC channel to ask for
help.
[0]:
https://gerrit.wikimedia.org/r/612947
[1]:
https://gerrit.wikimedia.org/r/612948
[2]:
https://phabricator.wikimedia.org/T102367
[3]:
https://phabricator.wikimedia.org/phame/post/view/132/migrating_tools.wmfla…
Bryan
--
Bryan Davis Technical Engagement Wikimedia Foundation
Principal Software Engineer Boise, ID USA
[[m:User:BDavis_(WMF)]] irc: bd808