SEC-3192: HSTS preload token #3396
Assignees
Labels
in: web
An issue in web modules (web, webmvc)
status: duplicate
A duplicate of another issue
type: jira
An issue that was migrated from JIRA
Comments
spring-projects-issues
added
in: core
|
Any updates to this? I just run a scan with https://observatory.mozilla.org/ and found out that preload was mentioned to be missing on my site. Thanks a lot in advance. |
rwinch
added
status: duplicate
|
Closing as duplicate of gh-6312 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Oleksandr Golonzovskyi (Migrated from SEC-3192) said:
HSTS header provide agent with a hint to use SSL for specific domain. However first access to a specific domain is a potential attack surface. Predefined list is maintained by Chrome and used by other browsers to avoid this vulnerability.
In order for domain to be added in preload list we need to have "preload" token in HSTS header. See: https://www.chromium.org/hsts/, https://hstspreload.appspot.com/
This token is not mentioned in original RFC, however is a recommended per
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Proposal is to add "preload" token to HSTS headers configuration, not sure if enabled by default (as it may cause long term consequences, so could require conciseness decision ).
Therefore default HSTS header example after change:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Possible additional check - allow token preload addition only if max-age >= 10886400
References:
https://www.chromium.org/hsts/
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
The text was updated successfully, but these errors were encountered: