Would you please consider the following?

1) Include a HSTS header
Strict-Transport-Security: max-age=15768000
(6 months, or some other reasonable value)

2) Redirect http://manager.linode.com to https://manager.linode.com
I don't think this has security benefits beyond cosmetics, but it seems like the right thing to do anyway.

3) Set X-Frame-Options: SAMEORIGIN

4) Create a Content-Security-Policy header
https://dvcs.w3.org/hg/content-security ... n.dev.html

5) Check that recent nginx memory disclosure vuln doesn't apply to your web app, or has been patched. (The manger.l.c server reports itself as 0.7.x)
http://cve.mitre.org/cgi-bin/cvename.cg ... -2012-1180

no point in the content-security-policy header as that specification isn't completed and stable - until the W3C *finally* gets it done, nobody can be sure that's how the format will go. best to avoid it until it's completed, or do the x-content-security-policy and go with how firefox handles things (last I tried, chrome's implementation was horribly broken)

agreed about the X-Frame-Options, definitely. HSTS as well.

_________________
うるさいうるさいうるさい！

If these security improvements are valid have they been implemented. It would be nice to hear back from Linode regarding this.

As you can see looking at the header they haven't been.

HSTS has made it to a RFC https://tools.ietf.org/html/rfc6797

other bits still in W3C pipeline.

From what I read with the HSTS header linode manager would declare itself accessible only via secure connections.
So basically good browsers such as chrome will switch/stay on https?
Is that it?

_________________
Free hosting

The STS header is only accepted by browsers over an HTTPS connection. So if a browser makes a connection over HTTP and sees an STS it drops it. If it's over HTTPS, it should remember to only go to HTTPS moving forward.

With that being said, linode.com, manager.linode.com, forum.linode.com, and a few others do 301 redirects to HTTPS and send the STS header. In addition to that, we've been added to the internal STS list of Chromium, so it should progress down to the stable builds of Google Chrome *eventually*. I believe Mozilla uses this list for Firefox as well, so we should make it in there also.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch