Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(1) MEDIUM - Missing_HSTS_Header #107

Closed
TiagoV-PDMFC opened this issue Aug 4, 2022 · 2 comments
Closed

(1) MEDIUM - Missing_HSTS_Header #107

TiagoV-PDMFC opened this issue Aug 4, 2022 · 2 comments

Comments

@TiagoV-PDMFC
Copy link
Contributor

implement HSTS headers for the API
@TiagoV-PDMFC TiagoV-PDMFC mentioned this issue Aug 4, 2022
Open
@joaoluis-pdm
Copy link
Contributor

Just my 2 cents: The FGT services operate entirely in HTTP (not HTTPS), as it normally operates on port 8080 (not 443).
It is up to the surrounding infrastructure, if desired to have the service reverse-proxied by HTTPS, to add the HSTS header (if desired).

@joaoluis-pdm
Copy link
Contributor

joaoluis-pdm commented Aug 17, 2022
edited
Loading

Reponse proposal: The code is designed for http (not https). Makes no sense to add an Strict-Transport-Security header on an http response in this situation. When deploying a production environment, the solution will probably be wrapped by a reverse https-to-http proxy. It is up to that proxy to add the Strict-Transport-Security header if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TiagoV-PDMFC @joaoluis-pdm