14.4.5 seems to have a weak length of time not appropriate for preloading

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.75k stars 669 forks source link

14.4.5 seems to have a weak length of time not appropriate for preloading #963

Closed jmanico closed 3 years ago

jmanico commented 3 years ago

14.4.5 | Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains. | ✓ | ✓ | ✓ | 523 |

This seems pretty weak, lets bump this to a full year so preloading is possible

elarlang commented 3 years ago

From requirement I don't read that there should be max-age at least one year, I read it as syntax example.

If you want to have preload, then you may consider https://hstspreload.org/

jmanico commented 3 years ago

Yes I want to increase that syntax example since folks copy it and I opened a PR.

tghosth commented 3 years ago

Added the modified tag :)

Do you want to mention preload somewhere?

elarlang commented 3 years ago

CWE-523 does not seem perfect match. If you make those changes already :)

jmanico commented 3 years ago

Maybe as a ASVS 3 new item

jmanico commented 3 years ago

I moved this to https://github.com/OWASP/ASVS/issues/966 and am closing this up

jmanico commented 3 years ago

And good call on this one @tghosth thank you!