Project

General

Profile

Actions

Bug #22248

closed

Add includeSubdomains to HSTS header

Added by Alexis Mousset 23 days ago. Updated 4 days ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:
No

Description

The absence of this option allows more downgrade attacks, espacially on cookies which are sen ton subdomains (as explained in the owasp cheatsheet).

It carries an additionnal operational risk though, as it can easily impact other sites/applications hosted on a current or future subdomain of the Rudder domain.

We need to document this clearly in the settings.


Subtasks 1 (0 open1 closed)

Bug #22274: Add includeSubdomains to HSTS header with correct property nameReleasedFrançois ARMANDActions
Actions #1

Updated by Alexis Mousset 23 days ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset 23 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/4628
Actions #3

Updated by Alexis Mousset 22 days ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Alexis Mousset 15 days ago

  • Subtask #22274 added
Actions #7

Updated by Vincent MEMBRÉ 4 days ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.2.4 which was released today.

Actions

Also available in: Atom PDF