CDR-02-002 HSTS configuration could make the website inaccessible (Info)

[seamustuohy]

It was found that the current website currently deploys an HSTS header with the preload flag. This will protect CiviCDR users against MitM attacks on their first visit to the website, because browsers are informed about the HTTPS certificate to accept for this domain. However, this could also result in making the website inaccessible to CiviCDR users when the certificate (created: July 24, 2017, expires in October 22, 2017) is renewed. At the time of writing the max-age is 63072000 which corresponds to 24 months, while the certificate will expire in only 3 months.

This issue can be verified by observing the HTTP headers returned by the website as the main URL is being visited:

    Response:
    HTTP/1.1 200 OK
    [...]
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Accept-Ranges: bytes

The same applies to the herokuapp API backend, although in this case the certificate renewal will be performed by Heroku:

    Response:
    HTTP/1.1 304 Not Modified
    Server: Cowboy
    Content-Length: 0
    Connection: close
    X-Powered-By: Express
    Access-Control-Allow-Origin: *
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    X-Xss-Protection: 1; mode=block
    Etag: W/"284-I38gnx5u1UipH8mPTM4anVXNrRQ"
    Date: Tue, 08 Aug 2017 04:03:24 GMT
    Via: 1.1 vegur

It is recommended to ask for removal from the preload list (if such request was made) and to remove the preload flag from the HSTS header. While users will be unprotected against MitM attacks on their first website visit, possible certificate renewal errors will not result in making the entire website inaccessible to all CiviCDR users.