security.strict-transport-security option (HSTS) not enabled on tracker.pureos.net
Open, NormalPublic

Description

Visiting https://tracker.pureos.net/ return the following header:

Strict-Transport-Security: max-age=0; includeSubdomains; preload

which delete the HSTS entry if used before, cause "security.strict-transport-security" option is turned off, see:
https://secure.phabricator.com/T7777

more information about HSTS and why it's important:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

fix:
Enable "security.strict-transport-security" option in configuration.

e3amn2l created this task.Sep 5 2018, 8:54 PM

Add Comment