Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IT-3558: Set Strict-Transport-Security on HTTPS responses, as requested by Pentester #104

Merged
merged 1 commit into from
Apr 24, 2024
Merged

IT-3558: Set Strict-Transport-Security on HTTPS responses, as requested by Pentester #104

merged 1 commit into from
Apr 24, 2024

Conversation

brucehoff
Copy link
Member

Set Strict-Transport-Security on HTTPS responses, as requested by Pentester

The response should have a Strict-Transport-Security header, but only if the scheme is https, not http.

@brucehoff brucehoff requested a review from a team as a code owner April 20, 2024 00:29
@brucehoff brucehoff requested review from xschildw and zaro0508 April 23, 2024 23:42
zaro0508
zaro0508 requested changes Apr 24, 2024
View reviewed changes
src/main/java/synapseawsconsolelogin/Auth.java
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
try {
if (req.isSecure()) {
resp.setHeader(StrictTransportSecurityHeaderName, StrictTransportSecurityHeaderValue);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setHeader is used here and subsequently used in doGetIntern method as well. according to the java docs the setHeader will replace the existing header value. I assume we want to send multiple headers in some cases?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to the java docs the setHeader will replace the existing header value

No, I believe you are misreading the doc'. setHeader will only override an existing header with the same name, i.e., an existing header named, "Strict-Transport-Security". Since we are only adding this header in one place, there will be no collision.

zaro0508
zaro0508 reviewed Apr 24, 2024
View reviewed changes
src/main/java/synapseawsconsolelogin/Auth.java
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
try {
if (req.isSecure()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not sure this check is necessary since it seems like browsers will ignore the header if http is used.. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#description

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The check might not be necessary, however (from the page you link):

The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP. Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. Browsers do this as attackers may intercept HTTP connections to the site and inject or remove the header.

So there's no point in adding the header for HTTP requests.

@brucehoff brucehoff requested a review from zaro0508 April 24, 2024 19:15
@brucehoff brucehoff merged commit b59bf9f into Sage-Bionetworks:develop Apr 24, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zaro0508 zaro0508 zaro0508 approved these changes

@xschildw xschildw Awaiting requested review from xschildw

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brucehoff @zaro0508