https searx.hlfh.space: hsts not detected

aeris / cryptcheck

Verify some SSL/TLS website or XMPP implementation

GNU Affero General Public License v3.0

185 stars 20 forks source link

https searx.hlfh.space: hsts not detected #50

Closed dalf closed 4 years ago

dalf commented 4 years ago

HSTS is not detected on this host.

$ docker run --rm aeris22/cryptcheck https searx.hlfh.space
...
No HSTS
...

The header Strict-Transport-Security has the value max-age=31536000; includeSubDomains; preload according to curl, Firefox ( also detected by hstspreload.org).

unixfox commented 4 years ago

searx.hlfh.space use unixfox/antibot-proxy which forbids any request method apart from GET and POST but it's probably due to a misconfiguration of antibot-proxy from the owner (I don't own searx.hlfh.space) because it shouldn't return a 500 error but a 403 one and it shouldn't block anything on the main page if configured properly.

Cryptcheck use a HEAD request method for checking the HSTS header so that's why it can't detect the HSTS header: https://github.com/aeris/cryptcheck/blob/master/lib/cryptcheck/tls/https/server.rb#L18.

One way to fix that is to serve the HSTS from the proxy (NGINX or Caddy) instead of serving it from Searx.

aeris commented 4 years ago

CryptCheck use HEAD request in compliance with RFC 2616 §9.4 to not be fooled by a server sending a very huge/endless stream in the body. At the moment, your host doesn't present HSTS header on such request, but only on GET request:

$ curl -vi https://searx.hlfh.space |& rg "^strict|> .* HTTP/2"
> GET / HTTP/2
< HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
$ curl -vIi https://searx.hlfh.space |& rg "^strict|> .* HTTP/2"
> HEAD / HTTP/2
< HTTP/2 500

You need to use the always flag of add_header under nginx or Header under apache to have HSTS regardless the response code. By default, the HSTS is send only on 200 response code, which can be a weakness (302 Location not protected).

Responding differently (not same response code nor same headers) for GET and HEAD is not RFC 2616 compliant.

dalf commented 4 years ago

Thank you for the quick answer and the link to the RFC.

I have triple check these lines: https://github.com/aeris/cryptcheck/blob/4e0e7e086bbfb79a1a1bf21d967125ed5b8e287c/lib/cryptcheck/tls/https/server.rb#L26-L33

but I missed HTTParty.head.

HLFH commented 4 years ago

@dalf @unixfox @aeris Thank you all for your help. Everything works with cryptcheck, searx, searx-checker, antibot-proxy with the right conf. I also added the always flag of add_header under nginx which fixes the main issue.