Add includeSubdomains to HSTS header
The absence of this option allows more downgrade attacks, espacially on cookies which are sen ton subdomains (as explained in the owasp cheatsheet).
It carries an additionnal operational risk though, as it can easily impact other sites/applications hosted on a current or future subdomain of the Rudder domain.
We need to document this clearly in the settings.
- Status changed from New to In progress
- Assignee set to Alexis Mousset
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/4628
- Status changed from Pending technical review to Pending release
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.2.4 which was released today.
Also available in: Atom