Enable HSTS by Default on Deco CX Webpages

[pedrobernardina]

Description

To improve the security of Deco CX webpages, we propose enabling HTTP Strict Transport Security (HSTS) by default. HSTS ensures that all interactions between the user's browser and the website are conducted over HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

Problem Statement

Currently, Deco CX does not enforce HTTPS connections by default, leaving room for potential security vulnerabilities, especially in scenarios where a user attempts to access the site via HTTP. This can undermine trust and expose sensitive user data to potential attacks.

Proposed Solution

Enable HSTS on all Deco CX webpages by default by adding the following header to HTTP responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age=31536000: Enforces HTTPS for one year.
• includeSubDomains: Ensures all subdomains are also covered by HSTS.
• preload: Prepares the site for inclusion in the browser preload list.

Benefits

• Improved user security by ensuring all traffic uses HTTPS.
• Enhanced trust and compliance with modern security best practices.
• Mitigates risks of downgrade attacks and data interception.

Implementation Steps

1. Update the server configuration to include the HSTS header in all HTTP responses.
2. Conduct testing to ensure that existing functionalities are not impacted.
3. Optionally, submit the domain to the HSTS preload list for browser support.

Additional Considerations

• Ensure that all HTTP URLs are properly redirected to HTTPS before enabling HSTS.
• Review existing mixed content issues and resolve them to avoid breaking functionalities when enforcing HTTPS.

---

Impact

High (Improves security for all users)

Affected Systems

• Deco CX webpage infrastructure