civichackingagency / scangov

Government digital experience monitor
https://scangov.org
9 stars 1 forks source link

Update data: iowa.gov #166

Open Javi-er opened 1 month ago

Javi-er commented 1 month ago

Domain: iowa.gov

The security report mentions that http:// domain doesn't redirect to https, when in fact it does, it can be validated by visiting http://www.iowa.gov/

Narlotl commented 1 month ago

The HSTS score is based on the present of the Strict-Transport-Security header at http://iowa.gov, which isn't there. Although iowa.gov redirects to the HTTPS site, HSTS does it automatically, meaning the user never has to request over HTTP.

Current headers:


$ curl --head http://iowa.gov
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Retry-After: 0
Server: Pantheon
Location: https://www.iowa.gov/
X-Pantheon-Redirect: primary-domain-policy-doc
X-Served-By: cache-dfw-kdfw8210141-DFW
X-Cache-Hits: 0
X-Timer: S1729738138.842301,VS0,VE6
Accept-Ranges: bytes
Date: Thu, 24 Oct 2024 02:48:57 GMT
Connection: keep-alive
Server-Timing: ak_p; desc="1729738137705_399532102_1286642063_16005_7732_103_0_-";dur=1```
Narlotl commented 4 weeks ago

Sorry, that header should be at https://iowa.gov, but it's the same idea.

monicadear commented 1 week ago

Understood we've filed an update for this