Actions
Bug #22248
closed
Add includeSubdomains to HSTS header
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
The absence of this option allows more downgrade attacks, espacially on cookies which are sen ton subdomains (as explained in the owasp cheatsheet).
It carries an additionnal operational risk though, as it can easily impact other sites/applications hosted on a current or future subdomain of the Rudder domain.
We need to document this clearly in the settings.
Updated by Alexis Mousset almost 2 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset almost 2 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/4628
Updated by Alexis Mousset almost 2 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|05faadb5a5df9edb07bf81ff8faaaa22c4753152.
Updated by Alexis Mousset almost 2 years ago
- Fix check changed from To do to Error - Blocking
Updated by Alexis Mousset almost 2 years ago
- Fix check changed from Error - Blocking to Checked
Updated by Vincent MEMBRÉ almost 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.2.4 which was released today.
Actions