search

AMWA-TV / bcp-003

AMWA BCP-003 Security recommendations for NMOS APIs
https://specs.amwa.tv/bcp-003
Apache License 2.0
3 stars 3 forks source link

BCP-003-01: Recommended HSTS max-age? #40

Closed garethsb closed 4 years ago

garethsb commented 5 years ago

The spec recommends using HTTP Strict-Transport-Security (HSTS) according to RFC 6797.

Is there a guideline for what value of max-age to use?

Netsparker says:

It is recommended to set the max-age to a big value like 31536000 (12 months) or 63072000 (24 months).

Qualys says:

It is advisable to assign the max-age directive’s value to be greater than 10368000 seconds (120 days) and ideally to 31536000 (one year).

OWASP Cheat Sheet uses an example of one year:

Strict-Transport-Security: max-age=31536000; includeSubDomains

SCIP says:

A common recommendation for production sites is to set max-age to 31536000, which constitutes roughly a non-leap year. Lower values can be useful for testing purposes but increase the frequency a window of attack occurs due to the expiration of the header. It takes little effort to find examples of sites using values as low as one minute. This defeats the purpose of HSTS and does, worst case, convey a wrong sense of security because the site has – strictly technical – a valid HSTS header.

testssl.sh used in the AMWA NMOS Testing Tool implements the HSTS test as:

15552000 s (180 days) or more is recommended

But I don't know whether that guidance comes from any recognized body?

andrewbonney commented 5 years ago

We may need to exercise caution if recommending a value which has generally been determined as useful for the open internet. HSTS has the potential to cause problems if there is any desire to swap between HTTP and HTTPS for experimentation, which would require a much lower max-age.

garethsb commented 5 years ago

Agreed - but then we should be careful what the test suite reports if you include a non-zero but low max-age.

NEOAdvancedTechnology commented 5 years ago

Let's investigate HSTS use in HTTP libraries for automated API calls.

This is probably not something we should normatively specify in BCP-003-01, but could use an informative note.

NEOAdvancedTechnology commented 4 years ago

Still have not had time to investigate this, but likely needs to be examined

NEOAdvancedTechnology commented 4 years ago

Try to get this worked out for next call

andrewbonney commented 4 years ago

Just trying to move this on a bit, given that the common ground in the quotes above is around the 1 year mark. A suggestion as a result is to include the 1 year as a RECOMMENDED in the spec document, but also include a SHOULD for being able to configure or disable this to deal with any deployment trials. The testing tool should then be updated to match and test for 1 year plus, and issue warnings for either HSTS missing altogether, or HSTS with a short max age.

NEOAdvancedTechnology commented 4 years ago

Work item for Andrew to do PR based on his comment.