Skip to content
This repository has been archived by the owner on Feb 21, 2019. It is now read-only.

HSTS not fully recognize by SSL scanner #42

Open
glencarl opened this issue Mar 8, 2016 · 2 comments
Open

HSTS not fully recognize by SSL scanner #42

glencarl opened this issue Mar 8, 2016 · 2 comments

Comments

@glencarl
Copy link

glencarl commented Mar 8, 2016

I am attempting to use flask-sslify==0.1.5 on Heroku with expeditedSSL. I have tried default, and other settings, such as sslify = SSLify(app, age=31536000, permanent=True, subdomains=True). However, each scan gives the same indication that HSTS is not fully working. It was working fine for another site until I upgraded to 0.1.5, and then when I did the earlier version 0.1.3 that had been working. Now, none of the versions are getting an A+ scan.
Any thoughts?
Thanks,
Glen

Site uses HSTS

HTTP Strict Transport Security (HSTS) is a HTTP response header that is set on your web application server. Supporting browsers read the header which contains an expiration max-age value and will NOT reconnect on a plain HTTP connection until the max-age value is exceeded. HSTS prevents a variety of attacks where an intermediary could disrupt or spoof connections.

You'll need to implement this in your application.

More HSTS information at: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

@glencarl
Copy link
Author

glencarl commented Mar 8, 2016

I just discovered 0.1.4 worked with the scanner. Hopefully, 0.1.6 will work too.

@rykener
Copy link

rykener commented Apr 21, 2016

@glencarl see issue #43. The issue you're having is due to the HSTS flag: Strict-Transport-Security not being sent in the header. Therefore there is no HSTS security in v0.1.5 as opposed to just an issue with the scanner you're using.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants