Collaborate Disseminate
For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I’m able to save some bytes by wildcarding some subdomains, but I’m also tempted to strip out all instances of https://.
Example:
connect-src ‘s… Continue reading If I’m using HSTS, can I skip the scheme from my CSP directives?
I just stumbled upon this fedramp document: https://www.fedramp.gov/assets/resources/templates/FedRAMP-Moderate-Readiness-Assessment-Report-(RAR)-Template.docx
It contains the following note in 4.2.2 Transport Layer Security:
Note: DHS BO… Continue reading Why does Fedramp disallow TLS 1.2 via HSTS?
I am trying to implement HSTS on the Ookla service deployed on my server but don’t know the exact command on how to implement this.
I am using the latest version of Ookla which is 2.11 which says it has HSTS implemented but it doesn’t work… Continue reading Implementing HSTS (Strict Transport Security on OOkla server
I am trying to implement HSTS on the Ookla service deployed on my server but don’t know the exact command on how to implement this.
I am using the latest version of Ookla which is 2.11 which says it has HSTS implemented but it doesn’t work… Continue reading Implementing HSTS (Strict Transport Security on OOkla server
I am trying to implement HSTS on the Ookla service deployed on my server but don’t know the exact command on how to implement this.
I am using the latest version of Ookla which is 2.11 which says it has HSTS implemented but it doesn’t work… Continue reading Implementing HSTS (Strict Transport Security on OOkla server
Google Chrome (and other browsers) do a great job preventing the user from viewing non-TLS sites or sites with invalid certificates by using HSTS preloading. So good actually that I can’t find a way to open the site in Google Chrome at all… Continue reading Ignore HSTS preloading in browsers [migrated]
Many new TLDs have mandatory HTTPS requirements. Is there a way to disable that for subdomains? If not does that mean an expensive wildcard SSL certificate will need to be used with these domains?
So if I have a service running at sub.doma… Continue reading Do subdomains of a TLD with mandatory HTTPS require a wildcard certificate?
Many companies have internal applications, and it would not be wise to recommend these are opened to the public internet merely for the purpose of them making it onto the HSTS preload list. Even if these services were audited and user cred… Continue reading Is it possible to internally use HSTS preloading for internal domains?
my team and I are troubleshooting some auditor findings and we’ve noticed this when going to
chrome://net-internals/#hsts
Found:
static_sts_domain: redacted
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: false
static_sts_o… Continue reading Domain on HSTS Preload list, but include subdomains is false?
I’ve got a Mayan EDMS running on a computer on the local network. The Web App is exposed via HTTPS on the non-standard port 8001 and it uses an SSL certificate that is signed by our own CA.
The CA is installed in my browser, but my browse… Continue reading Browsers don’t trust SSL certificates of network-local host signed by own CA