HTTPS Strict Transport Security
CompletedIn the section for HTTPS Strict Transport Security.
Please include options for "includeSubDomains" and "preload" in the HSTS header.
This will enable better security practice where:
The includeSubDomains directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
The preload directive allows the instance to be considered for the Google Chrome HTTP Strict Transport Security (HSTS) preload list. See website below.
Adding these features will further enhance the security and credibility of the Cerberus product and enable more confidence for my clients when using it.
Missing these fields means that the endpoint is more vulnerable to man in the middle attacks and comes up as a risk on penetration and security reviews.
-
We are going to run into issues with this soon where a domain that we host Cerberus on wants to submit for preloading and Cerberus will block that.
0 -
I managed to get around this by running Cerberus on a subdomain where the root domain is HSTS preloaded.
0 -
Hello everyone,
I wanted to let you know that this feature has been added to Cerberus FTP Server v 12, which is available for download now. You can review the release notes by visiting https://www.cerberusftp.com/products/releasenotes/
- New: Support for “includeSubDomains” and “preload” with HTTPS Strict Transport Security (HSTS)
0 -
Excellent, thank you very much Jeff.
0
Please sign in to leave a comment.
Comments
4 comments