Today we merged two small changes [0][1] to the front proxy for *.toolforge.org. These changes allowed us to close a 5 year old feature request [2] asking for Toolforge to always use TLS (HTTPS) and to also set a strict-transport-security header (HSTS) to tell web browser that they should *always* use TLS when talking to a Toolforge webservice.

Most of this has been happening for some time, but the final changes were to increase the HSTS duration to one year (technically we advertise 31,622,400 seconds which is 366 days) and to close the "POST loophole". The "POST loophole" was created when TLS was first enforced on Toolforge back in January 2019 [3]. It allowed HTTP requests with the POST verb to continue without TLS encryption. This was done because of unspecified behavior of clients (web browsers) when receiving an HTTP "301 Permanent Redirect" response to a POST action. A similar exception was originally made when the Wikimedia project wikis were switched to always require TLS encryption.

We do not expect new issues with the use of Toolforge webservices as a result of this change, but if you find something behaving badly as a result please report it in Phabricator using the #Toolforge project tag or join us in the #wikimedia-cloud Freenode IRC channel to ask for help.

[0]: https://gerrit.wikimedia.org/r/612947 [1]: https://gerrit.wikimedia.org/r/612948 [2]: https://phabricator.wikimedia.org/T102367 [3]: https://phabricator.wikimedia.org/phame/post/view/132/migrating_tools.wmflab...

Bryan