uchiwa icon indicating copy to clipboard operation
uchiwa copied to clipboard

Published 20 hours ago verified publisher icon sensu

HTTP Strict Transport Security (HSTS) is not implemented

Open cwjohnston opened this issue 6 years ago • 1 comments

Expected Behavior

Uchiwa supports HTTP Strict Transport Security (HSTS) as a mechanism for protecting against protocol downgrade attacks and cookie hijacking.

Current Behavior

Uchiwa does not implement HSTS policy mechanism.

Context

Lack of HSTS headers over HTTPS connections leaves Uchiwa instances vulnerable to protocol downgrade attacks and cookie hijacking.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security for reference.

Your Environment

  • Uchiwa version used: 1.3.1
  • Sensu version used:
  • Operating System and version (e.g. Ubuntu 14.04):

cwjohnston avatar Jan 03 '19 00:01 cwjohnston

Per Simon, should be easy to implement.

annaplotkin avatar Mar 18 '19 19:03 annaplotkin