search

andrewmarkham / contentsecuritypolicy

Episerver addon to help manage the sites content security policy.
Apache License 2.0
9 stars 4 forks source link

Missing feature preload on StrictTransportSecurity #68

Closed LucGosso closed 1 week ago

LucGosso commented 1 year ago 
Trying to improve my Optimizely Blog site and using this swedish service for security scaning. 

https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Foptimizely.blog

image

Missing Preload eg: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"

Suggestion:
"StrictTransportSecurity": {
  "MaxAge": 31536000,
  "IncludeSubDomains": true, 
  "preload":  true
},

Meanwhile, how do i disable StrictTransportSecurity from your plugin?
LucGosso commented 1 year ago

Meanwhile, how do i disable StrictTransportSecurity from your plugin?

"Enabled": false,

got it

andrewmarkham commented 1 year ago

Hi @LucGosso

I take it from the comment above that you have worked out how to disable the StrictTransportSecurity header?

I have looked into the preload option, and reading the following information https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security it seems that this is not part of the specification. Reading further it seems that Google also states that you should be careful about enabling this. https://hstspreload.org/

I need to think about this and consider if it is a valid option as it is not part of the standard, be good to get your thoughts.

If you do need this, then you can always add the header yourself.

Andy