accounts.firefox.com sends two HSTS headers

Question

accounts.firefox.com sends two HSTS headers

hannob opened this issue 10 months ago · 5 comments

Description

accounts.firefox.com sends two strict-transport-security headers, one with and one without includeSubDomains. This is a misconfiguration.

Steps to reproduce

curl -sI https://accounts.firefox.com/|grep -i ^strict-transport-security

Output:

strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000

Expected result

HSTS header should be sent only once.

Actual result

Two different HSTS headers are sent with different scopes.

Misc

I do not believe that this is a security problem. However, it could've been easily been, possilby if they were sent in different order.

It appears browsers use the first header sent, or consider the preload list. Therefore, the header with the larger scope, i.e. includeSubDomains, is used.

┆Issue is synchronized with this Jira Task

Answer 1 · 2024-02-14T15:42:42.000Z

Thanks for filing this!

Answer 2 · 2024-02-21T20:46:29.000Z

@hannob Thank you for filing the issue. You were correct that it was a misconfiguration. It's been fixed.

Answer 3 · 2024-02-25T17:18:16.000Z

FWIW, it's not fixed:

$ curl -sI https://accounts.firefox.com/|grep -i ^strict-transport-security
strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000

Answer 4 · 2024-02-25T22:03:41.000Z

It'll be fixed with our next deploy on March 6

Answer 5 · 2024-03-06T23:48:11.000Z

This is live now. Thanks again