includeSubdomains in Strict-Transport-Security #64
NKazantsev
started this conversation in
Ideas
Replies: 1 comment
-
|
I believe this is already from this PR: #15 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
what about includeSubdomains option in Strict-Transport-Security ?
Can you add it to secure-headers ?
DESCRIPTION
The application is setting the Strict-Transport-Security header but with an insecure value, specifically without the includeSubdomains option. The includeSubdomains option will extend the benefit of the header to the subdomains, preventing situations where the attacker registers (or takes over) a subdomain and leverages that read session cookies from the parent domain.
Beta Was this translation helpful? Give feedback.
All reactions