Secured delivery against man-in-the-middle (MITM) attacks

[bprestonlf]

per https://bestpractices.coreinfrastructure.org/en/projects/74?criteria_level=2#security

The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]

Note that GitHub is known to meet this. Sites such as https://securityheaders.io/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), X-Frame-Options, and X-XSS-Protection. Static web sites with no ability to log in via the web pages may omit the CSP and X-XSS-Protection HTTP hardening headers, because in that situation those headers are less effective.

The project websites implement hardening headers.

www.zephyrproject.org https://github.com/zephyrproject-rtos/zephyr // One or more of the required security hardening headers is missing. // X-Content-Type-Options was not set to "nosniff".

[kestewart]

@lloveday - can you please assign yourself to this, so we know its being tracked.

[Lloveday]

@kestewart - Hi Kate, I currently don't have the permissions to assign myself to any issues. @bprestonlf - Do you mind granting me that access? Thanks so much.

[Lloveday]

This has been fixed. Please verify on your end.

[bprestonlf]

@Lloveday The report is complaining that our server is replying with two "Strict-Transport-Security" headers (with two different values). We are indeed reporting both of those.

Do you know what we should be including in a Feature-Policy header? Ours is blank.

ref: https://bestpractices.coreinfrastructure.org/en/projects/74?criteria_level=2#security (UNMET: Secured delivery against man-in-the-middle (MITM) attacks)

[Lloveday]

Hi Brett, I have removed one of the Strict-Transport-Security headers, and added parameters to the Feature Policy. It may take a few hours for these changes to take effect.