Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#21705 closed defect (fixed)

Invalid Strict-Transport-Security header

Reported by: cypherpunks Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Onionoo sets an invalid strict transport security header, namely Strict-Transport-Security:""max-age=15768000"" (notice the double double quotes). This leads to Tor Browser giving the following error in the console.

Strict-Transport-Security: The site specified a header that could not be parsed successfully.

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by karsten

Component: Metrics/OnionooInternal Services/Tor Sysadmin Team
Owner: changed from metrics-team to tpa

Indeed, thanks for the report!

Looks like this invalid header comes back from orestis, whereas omeiense returns the correct header:

< * Connected to ( port 443 (#0)
> * Connected to ( port 443 (#0)
< < X-Varnish: 122699485 122515587
< < Age: 82
> < X-Varnish: 122576486 122515587
> < Via: 1.1 varnish-v4
> < X-Varnish: 141652475
> < Age: 104
< < Strict-Transport-Security: max-age=15768000
> < Strict-Transport-Security: "max-age=15768000"

Reassigning to our friendly sysadmin team. (Thanks!)

comment:2 Changed 4 years ago by weasel

Resolution: fixed
Status: newclosed

Good catch.

Upgraded the orestis haproxy to jessie-backports version also.

comment:3 Changed 4 years ago by karsten

Thanks, weasel!

Note: See TracTickets for help on using tickets.