I ran across this today while auditing CSA services quarterly:

In bl.ink URL redirection service, as of 2022-07-01 an improperly formatted
security header exists in the HSTS support, specifically, the header served
is \"strict-transport-security: max-age=63072000; includeSubdomains;\"
which contains an extra semicolon (the final one is not needed), this may
result in some client ignoring the HSTS header and thus rendering this
security protection ineffective.

there's some stuff for inbound/input/malformed/configuration/directive/etc,
but I'm not seeing anything for malformed outbound configuration/output.

Kurt Seifried (He/Him)

Reply via email to