HTTP Strict Transport Security (HSTS) is not implemented - Githubissues

sensu / uchiwa

Uchiwa is a simple yet effective open-source dashboard for the Sensu monitoring framework.

https://uchiwa.io

MIT License

920 stars 174 forks source link

HTTP Strict Transport Security (HSTS) is not implemented #808

Open cwjohnston opened 5 years ago

cwjohnston commented 5 years ago

Expected Behavior

Uchiwa supports HTTP Strict Transport Security (HSTS) as a mechanism for protecting against protocol downgrade attacks and cookie hijacking.

Current Behavior

Uchiwa does not implement HSTS policy mechanism.

Context

Lack of HSTS headers over HTTPS connections leaves Uchiwa instances vulnerable to protocol downgrade attacks and cookie hijacking.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security for reference.

Your Environment

Uchiwa version used: 1.3.1
Sensu version used:
Operating System and version (e.g. Ubuntu 14.04):

annaplotkin commented 5 years ago

Per Simon, should be easy to implement.