Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https

Bug #1734767 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
16.10
Fix Released
High
Unassigned
17.04
Fix Released
High
Unassigned
17.10
Fix Released
High
Unassigned
18.04
Fix Released
High
Unassigned

Bug Description

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

CVE References

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Fix at https://reviews.mahara.org/#/c/8312/

Reported by Kirti AR.

summary: - Mahara needing the Content Security Policy (CSP) to define what is/isn't
- allowed
+ Mahara needing the HTTP Strict Transport Security (HSTS) header when
+ site is https
description: updated
Changed in mahara:
status: Confirmed → In Progress
Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers