mahara-contributors team mailing list archive

Thread
Date

[Bug 1531987] Re: Review HTTP headers to improve security

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1531987@xxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Feb 2016 03:41:07 -0000
Reply-to: Bug 1531987 <1531987@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On further reflection, I decided not to include the "Strict-Transport-
Security" header in Mahara core. It has too much potential to cause
problems for site admins. If one of them did want to serve HTTP & HTTPS
content off the same domain (i.e. https://example.com/mahara &
http://example.com/insecure/) they probably wouldn't notice this setting
until after it was causing problems, and once they reached that point,
there would be no easy way to roll back the problem. See
http://stackoverflow.com/questions/10629397/how-to-disable-http-strict-
transport-security

The only way to revert Strict-Transport-Security (ie. HSTS) once it has
been sent out, is:

1. Wait out the max-age period
2. Have *all* your site users clear their individual browser caches
3. Have the HTTPS version of your site serve a Strict-Transport-Security page with max-age:0. (But, you have to keep this up until *all* affected visitors have been served a copy of it.)

Of course, this difficulty in reversing it is by design. That's the
whole point of this setting!

But for us, because this setting will cause nearly irreversible problems
for the few sites where it is not appropriate, it would be irresponsible
of us to turn it on automatically.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1531987

Title:
Review HTTP headers to improve security

Status in Mahara:
Confirmed
Status in Mahara 1.10 series:
Confirmed
Status in Mahara 15.04 series:
Confirmed
Status in Mahara 15.10 series:
Confirmed

Bug description:
We need to review our HTTP headers to improve security and check which
ones we should include per default and which ones might need to be
configurable. The review will include but is not limited to:

- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Server
- X-Powered-By
- X-Permitted-Cross-Domain-Policies
- Caching headers

Initial reports for X-XSS-Protection header by SaifAllah benMassaoud
and Zeeshan.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1531987/+subscriptions

References

[Bug 1531987] [NEW] Review HTTP headers to improve security
From: Kristina Hoeppner, 2016-01-07