asf-tooling opened a new issue, #1080:
URL: https://github.com/apache/tooling-trusted-releases/issues/1080
**ASVS Level(s):** L2
**Description:**
### Summary
The Strict-Transport-Security header is documented as being applied by the
frontend proxy, not by the application itself. While this is a valid deployment
pattern, if the proxy is misconfigured or replaced, HSTS protection silently
disappears. The application's `add_security_headers` function adds several
headers directly but omits HSTS, creating no defense-in-depth at the
application layer.
### Details
In `atr/server.py` at lines 491-502, the `add_security_headers` function
adds multiple security headers but does not include Strict-Transport-Security.
The application relies on proxy configuration (lines 93-94) to apply HSTS
headers. If the proxy configuration changes and HSTS is removed, browsers could
make initial HTTP requests, leaking data.
This is a lower severity issue because HSTS is documented as being applied
at proxy level and ProxyFixMiddleware is correctly configured.
### Recommended Remediation
Add HSTS at the application level as defense-in-depth (duplicate headers are
harmless and the most restrictive wins):
```python
# atr/server.py, in add_security_headers
if quart.request.is_secure:
response.headers["Strict-Transport-Security"] = "max-age=63072000;
includeSubDomains"
```
### Acceptance Criteria
- [ ] HSTS header added at application level for HTTPS requests
- [ ] Proxy-level HSTS configuration remains in place
- [ ] Unit test verifying HSTS header presence on secure requests
### References
- Source reports: L2:4.1.2.md
- Related findings: FINDING-116
- ASVS sections: 4.1.2
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
