SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List

From MozillaWiki
Jump to: navigation, search

Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - see RFC 6797) by default. This list is based on a list Chromium maintains. The versions of the list as it exists in the various channels of Firefox are available here: mozilla-central mozilla-beta mozilla-release mozilla-esr60.

Every day, an automated job attempts to update the preload list in mozilla-central and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list.

The xpcshell script is here. Output from the automated job as run on each branch is available here: mozilla-central esr60 (scroll down until there's a line containing "pfu", click on that, then click on "live.log" in the pane that pops up).

To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400.

The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated.