[owners] Add HSTS (Strict Transport Security)

[rcebulko]

No description provided.

[kristoferbaxter]

Since this is hosted by App Engine, here's the relevant segment from AppEngine's faq.

It is possible to use Strict-Transport-Security in App Engine. In order to add HTTP Strict-Transport-Security headers (HSTS) to your app, you must implement the headers within your app's code, not within your app's config file (app.yaml or appengine-web.xml).

https://cloud.google.com/appengine/kb/

[rcebulko]

Unclear how necessary this is at the time being, since there is no authentication/it's public-facing and GitHub authenticates with PSK

[rcebulko]

@ampproject/wg-infra Do any of our apps use HSTS? Is there a need? I'm inclined to say there is not given the nature of the apps, but perhaps I'm missing something

[danielrozenberg]

It's a good extra step, regardless of how "important" the apps are, but don't overthink it. Unless it's a simple flag in GAE config, make this a fixit week task and forget about it until next year :)

[rcebulko]

That was my thought

[danielrozenberg]

Still relevant, let's do it next fixit

[rcebulko]

Is this relevant? There's no sensitive data present in any of the browser-accessible endpoints for the owners bot. It's just the teams, tree, and example file. What threat model would this address?

[danielrozenberg]

It's one extra layer of security, it's definitely not required but it does tell the world we're Professionals :D