klopfdreh
commented
7 years ago Any updates to this? I just run a scan with https://observatory.mozilla.org/ and found out that preload was mentioned to be missing on my site.
Thanks a lot in advance.
Closed spring-projects-issues closed 5 years ago
klopfdreh
commented
7 years ago Any updates to this? I just run a scan with https://observatory.mozilla.org/ and found out that preload was mentioned to be missing on my site.
Thanks a lot in advance.
rwinch
commented
5 years ago Closing as duplicate of gh-6312
Oleksandr Golonzovskyi (Migrated from SEC-3192) said:
HSTS header provide agent with a hint to use SSL for specific domain. However first access to a specific domain is a potential attack surface. Predefined list is maintained by Chrome and used by other browsers to avoid this vulnerability.
In order for domain to be added in preload list we need to have "preload" token in HSTS header. See: https://www.chromium.org/hsts/, https://hstspreload.appspot.com/
This token is not mentioned in original RFC, however is a recommended per https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Proposal is to add "preload" token to HSTS headers configuration, not sure if enabled by default (as it may cause long term consequences, so could require conciseness decision ). Therefore default HSTS header example after change: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Possible additional check - allow token preload addition only if max-age >= 10886400
References: https://www.chromium.org/hsts/ https://blog.mozilla.org/security/2012/11/01/preloading-hsts/