Strict-transport-security

oliviertassinari · April 7, 2023, 10:08pm

curl -I http://translate.mui.com doesn’t return the Strict-Transport-Security header. Would it be possible to have “Strict-Transport-Security: max-age=31536000; includeSubDomains; preload”? The goal is to secure the access, see CheatSheetSeries/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md at master · OWASP/CheatSheetSeries · GitHub.

Oleg_Stoykov · April 8, 2023, 11:46pm

I don’t see here any possible security breach. You’re reporting a vulnerability or this is a feature request? What’s the goal of http protocol, if Crowdin is already on https for a long time? All recourses or Crowdin already on HTTPS protocol…

Plus Crowdin is ISO certified for a long time, this is a guarantee of security

oliviertassinari · April 9, 2023, 1:03am

I’m reporting a security weakness. Strict-Transport-Security instruct the browser to only use HTTPS, in the event that a man in the middle might filter out Crowdin’s request to move from HTTP to HTTPS.

Dima · April 9, 2023, 4:51am

Hello @oliviertassinari

If you found a vulnerability and would like to report it, kindly follow these instructions.

Please take a detailed look at the sections “What are We Looking for” and “What We are Not Looking for” before submitting a report.