Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HSTS response header #3032

Open
3 tasks
jonnalley opened this issue Nov 6, 2024 · 0 comments
Open
3 tasks

Add HSTS response header #3032

jonnalley opened this issue Nov 6, 2024 · 0 comments
Labels
infrastructure security-privacy-compliance Work needed around Security, Privacy, or Compliance

Comments

@jonnalley
Copy link
Contributor

Goals

  • Address ACF Tech "low" finding in all environments
  • Infra config would all be captured in IaC

Tasks

  • Assemble necessary TF module/resource for an AppGW Rewrite rule for a Strict-Transport-Security response header being set with no conditions.
  • Plan and Apply in all environments
  • Test out interactions in the app, including uploading files?

Additional Context

  • In the SDLC app gateway currently, this is enabled in addition to the CORS rules that Reed temporarily added as a troubleshooting tool. He reports his CORs rules are not needed though.
  • The value tested thus far was max-age=300; includeSubDomains; preload. Some best practices for the max-age value (X) seem to be 1-2 years. One year is 31536000 and 2 is 63072000
  • If trouble arises, maybe try a much lower max-age (like 300) or taking out the preload as a troubleshooting step.

Resources
@jonnalley jonnalley added infrastructure security-privacy-compliance Work needed around Security, Privacy, or Compliance labels Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
infrastructure security-privacy-compliance Work needed around Security, Privacy, or Compliance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonnalley