[
https://issues.apache.org/jira/browse/FINERACT-2132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Wells updated FINERACT-2132:
----------------------------------
Description: [Redacted] (was: h2. Description
It was observed that the application does not implement the HTTP Strict
Transport Security (HSTS) header, which instructs the browser to always load
some files over HTTPS in order to mitigate SSL stripping attack.
h2. Reproduction Steps
1- Observe the response of a GET request that does not have HSTS header
implemented.
h2. Impact Details
An attacker can potentially perform SSL stripping attack, a type of downgrade
attack that is implemented as part of Man-In-The-Middle attack, on the
application.
h2. Remediation Advice
It is recommended to implement and enforce HTTPS for the entire site and add
the following header to all HTTPS responses using the application server
configuration: Strict-Transport-Security max-age=31536000; includeSubDomains.)
> HSTS Header Not Implemented
> ---------------------------
>
> Key: FINERACT-2132
> URL: https://issues.apache.org/jira/browse/FINERACT-2132
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: backend, security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
