Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Use HSTS preload #12

Open
delisma opened this issue May 1, 2021 · 0 comments
Open

Security: Use HSTS preload #12

delisma opened this issue May 1, 2021 · 0 comments
Assignees
Labels
bug Something isn't working enhancement New feature or request help wanted Extra attention is needed

Comments

@delisma
Copy link
Contributor

delisma commented May 1, 2021

Describe the bug
Add our site to the HSTS preload list so HSTS is active for our site in browsers by default. Our HSTS policy is only active in a browser after that browser sees a response from our site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit our site using an insecure HTTP URL. To eliminate this attack vector, add site to the "HSTS preload list" so browsers will apply HSTS to a site by default even before a first visit. To add our site to the list, our Strict-Transport-Security header for all responses on all subdomains should have a max-age setting of at least 1 year (31,536,000 seconds) and both the includeSubDomains and preload options should be set. The header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload meets these requirements. Take care to get the capitalisation right for each option such as for includeSubDomains.

To Reproduce
Preload set: None
Include subdomains: None
HSTS expiry: 31,536,000

Expected behavior
Once this is done, we can submit our site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, we must be confident we won't need to disable HTTPS in the future. Removing ourself from the HSTS preload list may take some time and browsers might not keep their list up to date.

@delisma delisma added bug Something isn't working enhancement New feature or request help wanted Extra attention is needed labels May 1, 2021
@delisma delisma self-assigned this May 1, 2021
@delisma delisma changed the title Speed: Use HSTS preload Security: Use HSTS preload May 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

1 participant