Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security VIT related to The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header #35

Open
nakiva9 opened this issue Dec 6, 2024 · 2 comments
Open

Security VIT related to The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header #35

nakiva9 opened this issue Dec 6, 2024 · 2 comments
Assignees
@wavejumper @d-t-w
Labels
ce-support

Comments

@nakiva9
Copy link

nakiva9 commented Dec 6, 2024

Version of Kpow
The version of Kpow you are running is [operatr/kpow:88.5]

Describe the issue
Our Security team scanned, the Kpow App and Server, and have identified a Vulnerability, as below

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

The Summary is as follows
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Additional context
we are mandated to resolve the Security Vulnerability, i looked at the Configuration and could not find any web server config file to add the following to remediate the issue

    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

we need help of the support on how to resolve this in our kPow environment, we use a licensed vesrion of the kPow
@d-t-w
Copy link
Member

d-t-w commented Dec 7, 2024

Hello @nakiva9 thanks for your message, we'll look into this and resolve in the next release (94.1).

As you are a licensed user, you can always access support via our ticketed support channels by emailing [email protected] to contact the factor house team.

@d-t-w d-t-w mentioned this issue Dec 9, 2024
Merged
@d-t-w
Copy link
Member

d-t-w commented Dec 10, 2024
edited
Loading

Hello @nakiva9 a quick clarification and update on this ticket.

While investigating this issue we confirmed that Kpow does set the "Strict-Transport-Security" header for every response when SSL is configured, except for the 303/Redirect response that Kpow sends when you have also configured Jetty authentication and are accessing the UI as an unauthenticated user (Jetty redirects you to the login page).

At a guess this is how your automated scanning tool has encountered Kpow.

We have fixed that bug, ensured that the "Strict-Transport-Security" header is set on every response where SSL is configured, and have exposed these configurable environment variables (and default values):

"HTTPS_STS_MAX_AGE"            "31536000"
"HTTPS_STS_INCLUDE_SUBDOMAINS" "true"

This generates the following default HSTS header for responses where SSL is configured:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Users can turn HSTS off by setting HTTPS_STS_MAX_AGE=-1, but default is on.

Thanks for raising this ticket, the bugfix is included the next release of Kpow (v94.1) I will leave it open until I can link to the full release notes. We expect to release v94.1 in January.

I notice that your ticket reference v88.5 which is quite old, with your license you are free to update Kpow at any time to any later version, and our team is more than happy to help if you need any assistance upgrading.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wavejumper wavejumper

@d-t-w d-t-w

Labels
ce-support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wavejumper @d-t-w @nakiva9