Open bennytehcat opened 3 years ago
sudoebm
commented
3 years ago Priority: Medium Site is vulnerable to reflected XXS on some browsers -- namely IE and Safari, but more importantly Safari on IOS and Samsung Browser.
Set X-XSS-Protection: 1; mode=block
or better yet make a CSP with Content-Security-Policy: default-src 'self' gntl.co.uk *.gntl.co.uk
sudoebm
commented
3 years ago Priority: Low
The site has no HTTP Strict Transport Security header. This can lead to MITM, protocol downgrade attacks, and cookie hijacking. Configure the server to redirect HTTP requests to HTTPS. Yes, attackers can ignore the HSTS.
Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
<expire-time> is time in seconds the browser should remember the HSTS.
We cannot have a reactionary response to a security issue or attack. As a new exchange, this has the potential to ruin our reputation. I suggest that this issue remains open until all other issues are closed. We need to ensure that our exchange and chain of services (web-hosting, dns, etc...) is bulletproof. We need to plan scenarios for DDoS, bot-swarm networks, and other 'bad' actors.