** Information type changed from Private Security to Public Security ** Changed in: mahara/16.10 Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1734767 Title: Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https Status in Mahara: Fix Committed Status in Mahara 16.10 series: Fix Released Status in Mahara 17.04 series: Fix Committed Status in Mahara 17.10 series: Fix Committed Status in Mahara 18.04 series: Fix Committed Bug description: If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1734767/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp