Perfect Forward Secrecy (actually this is HTTP Strict Transport Security)

Letractively / securityswitch

Automatically exported from code.google.com/p/securityswitch

Other

0 stars 0 forks source link

Perfect Forward Secrecy (actually this is HTTP Strict Transport Security) #50

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

In order to enable perfect forward secrecy the application has to add a HTTP 
header to the responses it gives on HTTPS pages.

name="Strict-Transport-Security"
value="max-age=31536000"

This header should only appear on HTTPS pages.  Non-HTTPS pages should never 
have this header.

It would be nice if we could just set PFS to true in the securitySwitch 
configuration and have it taken care of.

Original issue reported on code.google.com by l...@wildkatz.org on 30 Apr 2014 at 8:09

GoogleCodeExporter commented 8 years ago

I've been reading more and more about PFS after Heartbleed. I'll check this out 
and add it to the list to come.

Original comment by vent...@gmail.com on 9 May 2014 at 12:45

Changed state: Considering
Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 8 years ago

Any word on when this will be included?

Original comment by l...@wildkatz.org on 4 Nov 2014 at 9:48

GoogleCodeExporter commented 8 years ago

Since the HTTP Strict Transport Security (HSTS) header is completely 
independent of Forward Secrecy (though required for FS to work properly), I 
plan to add a couple attributes/properties with nomenclature around HSTS.

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

I'm hoping to have this implemented by next week.

Original comment by vent...@gmail.com on 6 Nov 2014 at 4:13

Changed state: Started

GoogleCodeExporter commented 8 years ago

Incase it's useful... I wrote this HttpModule on our website to add the 
required header.

    public class ForwardSecrecyHttpModule : IHttpModule
    {
        public String ModuleName
        {
            get { return "ForwardSecrecyHttpModule"; }
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += (new EventHandler(this.PreSendRequestHeaders));
        }

        private void PreSendRequestHeaders(object sender, EventArgs e)
        {
            var app = (HttpApplication) sender;
            var context = app.Context;

            if (context.Request.IsSecureConnection)
            {
                context.Response.AddHeader("strict-transport-security", "max-age=" + ConfigurationManager.AppSettings["SETTING.STS.MaxAge"]); // 180 days = 15552000
            }
        }

        public void Dispose()
        {
            //throw new NotImplementedException();
        }
    }

Original comment by l...@wildkatz.org on 7 Nov 2014 at 1:08

GoogleCodeExporter commented 8 years ago

This is up on NuGet (version 4.4).

Original comment by vent...@gmail.com on 8 Nov 2014 at 11:38

Changed title: Perfect Forward Secrecy (actually this is HTTP Strict Transport Security)
Changed state: Fixed