search

cds-snc / tracker

Check whether a Government of Canada domain is adhering to best security practices.
Other
12 stars 9 forks source link

Redirect issue - endpoint choice #59

Open sayaHub opened 5 years ago

sayaHub commented 5 years ago

Use case:

  1. Service has all endpoints live (http, httpwww, https, httpswww)
  2. http, httpwww and https endpoints are configure properly and immediately redirect to the secure eventual endpoint
  3. httpswww downgrade before reaching the eventual secure endpoint

Even if we feed the scanner with a root endpoint that is secured and properly redirect to the eventual secure endpoint, tracker seems to set the canonical url to httpswww. Where there are httpswww configuration issues, it significantly impact the root domain scan result because the httpswww is chosen.

Question: should Tracker choose to scan the secure root endpoint if Live instead of httpswww?

obrien-j commented 5 years ago

Can you point to an existing domain in this situation @sayaHub ?

Point 3 there seems to imply a secure endpoint is downgrading to an insecure path.. That feels pretty "wrong".

sayaHub commented 5 years ago

for point 3, we feel the same way, we don't understand why the configuration will be setup that way. We are trying to write up more about the right way to do redirection ...I ping you on slack about the domain example.

obrien-j commented 5 years ago

image

Example of a misconfigured redirection...

The logic of how pshtt chooses the 'best' endpoint to use could be changed, but it'd probably just be easier to fix the domains showing issues.

sayaHub commented 5 years ago

fyi, issue mentioned in original library : https://github.com/cisagov/pshtt/issues/89#issue