Issue #7804: Default to enabling HSTS even for self-signed certificates, offer a knob to disable it - Pulp

Actions

Send by e-mail Copy link

Issue #7804

closed

Default to enabling HSTS even for self-signed certificates, offer a knob to disable it

Added by spredzy over 3 years ago. Updated over 3 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

spredzy

Category:

Installer - Moved to GitHub issues

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

OS:

Triaged:

Groomed:

Sprint Candidate:

Tags:

Sprint:

Quarter:

Description

Currently we only enable HSTS when a user provides a certificate. This is 'technically' the right approach given HSTS aims to prevent a MITM attack.

However some users/customers run security/vuln scan against their deployed tools, and HSTS is one of the item that is often check.

If deployed out-of-the-box, the HSTS check will fail. To offer user/customer a better experience, even if using self-signedd certificate we should default to enabling HSTS (and offer a knob to disable it for valid reasons[1])

[1] https://www.jeffgeerling.com/blog/2018/fixing-safaris-cant-establish-secure-connection-when-updating-self-signed-certificate

Actions

Send by e-mail Copy link

Also available in: Atom PDF

Project

Profile

Help

Pulp

Agile boards

Custom queries

Issue #7804

Default to enabling HSTS even for self-signed certificates, offer a knob to disable it

Updated by pulpbot over 3 years ago

Added by spredzy over 3 years ago

Added by spredzy over 3 years ago

Updated by spredzy over 3 years ago

Updated by dkliban@redhat.com over 3 years ago