Open cwjohnston opened 5 years ago
Uchiwa supports HTTP Strict Transport Security (HSTS) as a mechanism for protecting against protocol downgrade attacks and cookie hijacking.
Uchiwa does not implement HSTS policy mechanism.
Lack of HSTS headers over HTTPS connections leaves Uchiwa instances vulnerable to protocol downgrade attacks and cookie hijacking.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security for reference.
Per Simon, should be easy to implement.
Expected Behavior
Uchiwa supports HTTP Strict Transport Security (HSTS) as a mechanism for protecting against protocol downgrade attacks and cookie hijacking.
Current Behavior
Uchiwa does not implement HSTS policy mechanism.
Context
Lack of HSTS headers over HTTPS connections leaves Uchiwa instances vulnerable to protocol downgrade attacks and cookie hijacking.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security for reference.
Your Environment