Skip to content
This repository has been archived by the owner on Jan 7, 2020. It is now read-only.

HTTP Strict Transport Security (HSTS) is not implemented #808

Open
cwjohnston opened this issue Jan 3, 2019 · 1 comment
Open

HTTP Strict Transport Security (HSTS) is not implemented #808

cwjohnston opened this issue Jan 3, 2019 · 1 comment
Labels
ready
Milestone
1.7.0

Comments

@cwjohnston
Copy link
Contributor

cwjohnston commented Jan 3, 2019
edited
Loading

Expected Behavior

Uchiwa supports HTTP Strict Transport Security (HSTS) as a mechanism for protecting against protocol downgrade attacks and cookie hijacking.

Current Behavior

Uchiwa does not implement HSTS policy mechanism.

Context

Lack of HSTS headers over HTTPS connections leaves Uchiwa instances vulnerable to protocol downgrade attacks and cookie hijacking.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security for reference.

Your Environment

  • Uchiwa version used: 1.3.1
  • Sensu version used:
  • Operating System and version (e.g. Ubuntu 14.04):
@annaplotkin
Copy link

Per Simon, should be easy to implement.

@annaplotkin annaplotkin added this to the 1.7.0 milestone Apr 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
ready
Projects
None yet
Milestone
1.7.0
Development

No branches or pull requests
2 participants
@cwjohnston @annaplotkin