** Information type changed from Private Security to Public Security
** Changed in: mahara/16.10
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1734767
Title:
Mahara needing the HTTP Strict Transport Security (HSTS) header when
site is https
Status in Mahara:
Fix Committed
Status in Mahara 16.10 series:
Fix Released
Status in Mahara 17.04 series:
Fix Committed
Status in Mahara 17.10 series:
Fix Committed
Status in Mahara 18.04 series:
Fix Committed
Bug description:
If a website accepts a connection through HTTP and redirects to HTTPS,
visitors may initially communicate with the non-encrypted version of
the site before being redirected, if, for example, the visitor types
http://www.foo.com/ or even just foo.com. This creates an opportunity
for a man-in-the-middle attack. The redirect could be exploited to
direct visitors to a malicious site instead of the secure version of
the original site.
The HTTP Strict Transport Security header informs the browser that it
should never load a site using HTTP and should automatically convert
all attempts to access the site using HTTP to HTTPS requests instead.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1734767/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
