SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List

From MozillaWiki
Jump to: navigation, search

Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - see RFC 6797) by default. This list is based on a list Chromium maintains. The versions of the list as it exists in the various channels of Firefox are available here: mozilla-central mozilla-beta mozilla-release mozilla-esr52.

Every day, an automated job attempts to update the preload list in mozilla-central and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in this file may help in determining the underlying error.

The xpcshell script is here. Output from the automated job as run on each branch is available here: mozilla-central mozilla-esr52 (search for "periodicupdate").

To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400.

The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated.