Bug #22248: Add includeSubdomains to HSTS header - Rudder - Issue Tracker

Actions

Copy link

Bug #22248

closed

Add includeSubdomains to HSTS header

Added by Alexis Mousset over 1 year ago. Updated about 1 year ago.

Status:

Released

Priority:

N/A

Assignee:

Nicolas CHARLES

Category:

Security

Target version:

7.2.4

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

The absence of this option allows more downgrade attacks, espacially on cookies which are sen ton subdomains (as explained in the owasp cheatsheet).

It carries an additionnal operational risk though, as it can easily impact other sites/applications hosted on a current or future subdomain of the Rudder domain.

We need to document this clearly in the settings.

Subtasks 1 (0 open — 1 closed)

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #22248

Add includeSubdomains to HSTS header

Updated by Alexis Mousset over 1 year ago

Updated by Alexis Mousset over 1 year ago

Updated by Alexis Mousset over 1 year ago

Updated by Alexis Mousset about 1 year ago

Updated by Alexis Mousset about 1 year ago

Updated by Alexis Mousset about 1 year ago

Updated by Vincent MEMBRÉ about 1 year ago