Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https
Bug #1734767 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Unassigned | ||
17.04 |
Fix Released
|
High
|
Unassigned | ||
17.10 |
Fix Released
|
High
|
Unassigned | ||
18.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://
The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
CVE References
information type: | Private Security → Public Security |
To post a comment you must log in.
Fix at https:/ /reviews. mahara. org/#/c/ 8312/
Reported by Kirti AR.