threema-web icon indicating copy to clipboard operation
threema-web copied to clipboard

Published 20 hours ago verified publisher icon threema-ch

Add HSTS preload and includeSubdomains directive

Open ovalseven8 opened this issue 6 years ago • 3 comments

Because it also effects Threema Web, I thought to create the issue here.

Please add the preload and includeSubdomains directives on all Threema websites. Then, when you have met all requirements, you can add yourself to https://hstspreload.org.

Also, as a side note: When I surf to http://web.threema.ch, I do not get some security headers.

$ http http://web.threema.ch -h

HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Thu, 30 Aug 2018 09:28:06 GMT
Location: https://web.threema.ch/
Public-Key-Pins: pin-sha256="8SLubAXo6MrrGziVya6HjCS/Cuc7eqtzw1v6AfIW57c="; pin-sha256="8kTK9HP1KHIP0sn6T2AFH3Bq+qq3wn2i/OJSMjewpFw="; max-age=5184000
Server: nginx
X-Content-Type-Options: nosniff

Compared to the HTTPS request:

$ http https://web.threema.ch -h
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 7175
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self' data:; media-src 'self' data:; connect-src 'self' https://push-web.threema.ch https://*.threema.ch wss://*.threema.ch; object-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-same-origin allow-scripts allow-forms allow-popups; base-uri https://*.threema.ch/
Content-Type: text/html; charset=utf-8
Date: Thu, 30 Aug 2018 09:30:13 GMT
ETag: "5b7ece6f-1c07"
Last-Modified: Thu, 23 Aug 2018 15:10:39 GMT
Public-Key-Pins: pin-sha256="8SLubAXo6MrrGziVya6HjCS/Cuc7eqtzw1v6AfIW57c="; pin-sha256="8kTK9HP1KHIP0sn6T2AFH3Bq+qq3wn2i/OJSMjewpFw="; max-age=5184000
Referrer-Policy: no-referrer
Server: nginx
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

When I run http http://thomas-leister.de for example, I get all the security headers.

ovalseven8 avatar Aug 30 '18 09:08 ovalseven8

Oh, I see you're already preloaded (at least that's what hstspreload.org says). I just looked at the headers and could not find the preload directive (what seems to be a requirement)?

ovalseven8 avatar Aug 30 '18 09:08 ovalseven8

could not find the preload directive (what seems to be a requirement)

Yeah, I think Chrome ignores this, but At least Firefox verifies it still serves this header. So yes, Threema needs to continue to serve it.

rugk avatar Aug 30 '18 11:08 rugk

What's up with this issue?

  • [x] The max-age must be at least 31536000 seconds (1 year).
  • [ ] The includeSubDomains directive must be specified.
  • [ ] The preload directive must be specified.
  • [x] If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

ovalseven8 avatar Jul 06 '19 19:07 ovalseven8