Secure HTTP Headers and JavaScript Libraries

[avni-work]

• Description: Missing HSTS and X-Content-Type-Options headers could expose the application to man-in-the-middle attacks and content injection. Additionally, an outdated JavaScript library (Bootstrap) has known vulnerabilities. • Locations and Alerts: o https://api.iconify.design:

• Strict-Transport-Security Header Not Set
• X-Content-Type-Options Header Missing

o https://idtest.gov.bc.ca:

• Vulnerable JS Library (Bootstrap 3.4.1)

• Notes from Report: The lack of HSTS headers allows HTTP connections, which are vulnerable to interception. Missing X-Content-Type-Options headers allow MIME-type sniffing. Additionally, Bootstrap 3.4.1 has security vulnerabilities that could be exploited. Potential Fix

1. Add HSTS Header: Set Strict-Transport-Security with max-age=31536000; includeSubDomains to enforce HTTPS-only connections.
2. Set X-Content-Type-Options Header: Add X-Content-Type-Options: nosniff to prevent MIME-type sniffing.
3. Update JavaScript Library: Upgrade Bootstrap to the latest secure version to address known vulnerabilities.

Potential Spike to Investigate

1. Check for HSTS and Content-Type Headers: In the browser’s network tools, load resources from https://api.iconify.design and inspect headers to confirm if Strict-Transport-Security and X-Content-Type-Options headers are present.
2. Verify Bootstrap Version: Locate the Bootstrap files on https://idtest.gov.bc.ca and check the version in the file headers or within package.json or similar dependency files if available. Confirm if it’s 3.4.1 and review release notes for any known vulnerabilities in this version.

[rstens]

https://idtest.gov.bc.ca - would need to involve different team for that.

[avni-work]

will be a discussion point to see if this is our risk to mitigate or if we pass on to them. re: https://idtest.gov.bc.ca