Project

General

Custom queries

Profile

Actions
Copy link

Bug #22248

closed

Add includeSubdomains to HSTS header

Added by Alexis Mousset about 2 years ago. Updated about 2 years ago.

Status:
Released
Priority:
N/A
Assignee:
Nicolas CHARLES
Category:
Security
Target version:
7.2.4
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

The absence of this option allows more downgrade attacks, espacially on cookies which are sen ton subdomains (as explained in the owasp cheatsheet).

It carries an additionnal operational risk though, as it can easily impact other sites/applications hosted on a current or future subdomain of the Rudder domain.

We need to document this clearly in the settings.

Subtasks 1 (0 open1 closed)

Bug #22274: Add includeSubdomains to HSTS header with correct property nameReleasedFrançois ARMANDActions
#1

Updated by Alexis Mousset about 2 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
#2

Updated by Alexis Mousset about 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/4628
#3

Updated by Alexis Mousset about 2 years ago

  • Status changed from Pending technical review to Pending release
#4

Updated by Alexis Mousset about 2 years ago

  • Subtask #22274 added
#5

Updated by Alexis Mousset about 2 years ago

  • Fix check changed from To do to Error - Blocking
#6

Updated by Alexis Mousset about 2 years ago

  • Fix check changed from Error - Blocking to Checked
#7

Updated by Vincent MEMBRÉ about 2 years ago

  • Status changed from Pending release to Released
Actions
Copy link

Also available in: Atom PDF