Peter Chen created FINERACT-2132:
------------------------------------
Summary: HSTS Header Not Implemented
Key: FINERACT-2132
URL: https://issues.apache.org/jira/browse/FINERACT-2132
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h2. Description
It was observed that the application does not implement the HTTP Strict
Transport Security (HSTS) header, which instructs the browser to always load
some files over HTTPS in order to mitigate SSL stripping attack.
h2. Reproduction Steps
1- Observe the response of a GET request that does not have HSTS header
implemented.
h2. Impact Details
An attacker can potentially perform SSL stripping attack, a type of downgrade
attack that is implemented as part of Man-In-The-Middle attack, on the
application.
h2. Remediation Advice
It is recommended to implement and enforce HTTPS for the entire site and add
the following header to all HTTPS responses using the application server
configuration: Strict-Transport-Security max-age=31536000; includeSubDomains.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
