Open sveeke opened 6 years ago
threatLevel=Low type=Missing HTTP Header
The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS. Connections using HTTP are not allowed, which means that the user is protected against security downgrade attacks.
Note the output in the sample request does not show a HSTS header:
POST /api-auth/token HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: https://surf-dev2.edubadges.nl/auth/login
Content-Length: 58
Origin: https://surf-dev2.edubadges.nl
Connection: close
username=stefanpentest%2Bteacher%40gmail.com&password=test
HTTP/1.1 400 Bad Request
Server: nginx/1.12.2
Date: Thu, 07 Jun 2018 01:18:13 GMT
Content-Type: application/json
Connection: close
Vary: Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: POST, OPTIONS
Content-Length: 68
{"non_field_errors":["Unable to log in with provided credentials."]}
impact: An attacker could trick the user into using the insecure version of the site, or a man-in-the-middle attacker could redirect traffic from the secure version to the insecure version. An attacker then could eavesdrop on the connection and obtain sensitive data.
recommendation: Make sure to set proper HTTP Strict-Transport-Security headers for all web servers that should send out content over HTTPS only.
I'll do this one when building the new pilot environment.
The web servers for badgr-dev2.edubadges.nl do not respond with an HTTP Strict-Transport-Security header. This means there isn't a Strict Transport Security policy in place.