From 58cdff1d715e4207eb3d828d980248d53b10f757 Mon Sep 17 00:00:00 2001 From: Ollie Philpott Date: Wed, 8 May 2019 11:09:45 +0100 Subject: [PATCH 1/5] Removed preload from HSTS header --- src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs index 18827b0c81..570dc493a9 100644 --- a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs +++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs @@ -16,7 +16,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/, // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites. public HstsCheck(IRuntimeState runtime, ILocalizedTextService textService) - : base(runtime, textService, "Strict-Transport-Security", "max-age=10886400; preload", "hSTS", true) + : base(runtime, textService, "Strict-Transport-Security", "max-age=10886400", "hSTS", true) { } } From dae8802c506fd586a0f8191047b0459380778f4b Mon Sep 17 00:00:00 2001 From: Ollie Philpott Date: Wed, 8 May 2019 11:11:01 +0100 Subject: [PATCH 2/5] Removed preload from descriptions --- src/Umbraco.Web.UI/Umbraco/config/lang/en.xml | 2 +- src/Umbraco.Web.UI/Umbraco/config/lang/en_us.xml | 2 +- src/Umbraco.Web.UI/Umbraco/config/lang/fr.xml | 2 +- src/Umbraco.Web.UI/Umbraco/config/lang/ru.xml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Umbraco.Web.UI/Umbraco/config/lang/en.xml b/src/Umbraco.Web.UI/Umbraco/config/lang/en.xml index 9678903975..b40da58a2c 100644 --- a/src/Umbraco.Web.UI/Umbraco/config/lang/en.xml +++ b/src/Umbraco.Web.UI/Umbraco/config/lang/en.xml @@ -2036,7 +2036,7 @@ To manage your website, simply open the Umbraco back office and start adding con A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file. Strict-Transport-Security, also known as the HSTS-header, was found.]]> Strict-Transport-Security was not found.]]> - Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum). + Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum). The HSTS header has been added to your web.config file. X-XSS-Protection was found.]]> X-XSS-Protection was not found.]]> diff --git a/src/Umbraco.Web.UI/Umbraco/config/lang/en_us.xml b/src/Umbraco.Web.UI/Umbraco/config/lang/en_us.xml index af6add9f64..bd2cc6f5a2 100644 --- a/src/Umbraco.Web.UI/Umbraco/config/lang/en_us.xml +++ b/src/Umbraco.Web.UI/Umbraco/config/lang/en_us.xml @@ -2050,7 +2050,7 @@ To manage your website, simply open the Umbraco back office and start adding con A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file. Strict-Transport-Security, also known as the HSTS-header, was found.]]> Strict-Transport-Security was not found.]]> - Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum). + Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum). The HSTS header has been added to your web.config file. X-XSS-Protection was found.]]> X-XSS-Protection was not found.]]> diff --git a/src/Umbraco.Web.UI/Umbraco/config/lang/fr.xml b/src/Umbraco.Web.UI/Umbraco/config/lang/fr.xml index 8e378f0bc9..8bc41d63b2 100644 --- a/src/Umbraco.Web.UI/Umbraco/config/lang/fr.xml +++ b/src/Umbraco.Web.UI/Umbraco/config/lang/fr.xml @@ -1813,7 +1813,7 @@ Pour gérer votre site, ouvrez simplement le backoffice Umbraco et commencez à Une configuration a été ajoutée dans votre fichier web.config pour créer un header protégeant contre les vulnérabilités de MIME sniffing. Strict-Transport-Security, aussi connu sous le nom de HSTS-header, a été trouvé.]]> Strict-Transport-Security, aussi connu sous le nom de HSTS-header, n'a pas été trouvé.]]> - Ajoute l'en-tête 'Strict-Transport-Security' avec la valeur 'max-age=10886400; preload' à la section httpProtocol/customHeaders du fichier web.config. Utilisez cette correction uniquement si vos domaines vont fonctionner en https pour les 18 prochaines semaines (minimum). + Ajoute l'en-tête 'Strict-Transport-Security' avec la valeur 'max-age=10886400' à la section httpProtocol/customHeaders du fichier web.config. Utilisez cette correction uniquement si vos domaines vont fonctionner en https pour les 18 prochaines semaines (minimum). L'en-tête HSTS a été ajouté dans votre fichier web.config. X-XSS-Protection a été trouvé.]]> X-XSS-Protection n'a pas été trouvé.]]> diff --git a/src/Umbraco.Web.UI/Umbraco/config/lang/ru.xml b/src/Umbraco.Web.UI/Umbraco/config/lang/ru.xml index 7698453b4a..5f138efc81 100644 --- a/src/Umbraco.Web.UI/Umbraco/config/lang/ru.xml +++ b/src/Umbraco.Web.UI/Umbraco/config/lang/ru.xml @@ -743,7 +743,7 @@ Значение, добавляющее заголовок, препятствующий использованию MIME-уязвимостей, успешно добавлено в файл web.config. Strict-Transport-Security, известный также как HSTS-header, обнаружен.]]> Strict-Transport-Security не найден.]]> - Добавляет заголовок 'Strict-Transport-Security' и его значение 'max-age=10886400; preload' в секцию httpProtocol/customHeaders файла web.config. Применяйте этот способ только в случае, если доступ к Вашим сайтам будет осуществляться по протоколу https как минимум ближайшие 18 недель. + Добавляет заголовок 'Strict-Transport-Security' и его значение 'max-age=10886400' в секцию httpProtocol/customHeaders файла web.config. Применяйте этот способ только в случае, если доступ к Вашим сайтам будет осуществляться по протоколу https как минимум ближайшие 18 недель. Заголовок HSTS-header успешно добавлен в файл web.config. X-XSS-Protection обнаружен.]]> X-XSS-Protection не найден.]]> From bea1d35ebff9ff08f6d2a06e3b1b0dd3fee248ea Mon Sep 17 00:00:00 2001 From: Ollie Philpott Date: Wed, 8 May 2019 11:11:47 +0100 Subject: [PATCH 3/5] Updated hsts urls --- src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs index 570dc493a9..cb82badc4a 100644 --- a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs +++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs @@ -11,9 +11,9 @@ namespace Umbraco.Web.HealthCheck.Checks.Security public class HstsCheck : BaseHttpHeaderCheck { // The check is mostly based on the instructions in the OWASP CheatSheet - // (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) + // (https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md) // and the blog post of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/) - // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/, + // If you want do to it perfectly, you have to submit it https://hstspreload.org/, // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites. public HstsCheck(IRuntimeState runtime, ILocalizedTextService textService) : base(runtime, textService, "Strict-Transport-Security", "max-age=10886400", "hSTS", true) From b6ad19ccad3360b6eb30ef10307f08e0b8f2807f Mon Sep 17 00:00:00 2001 From: Ollie Philpott Date: Wed, 8 May 2019 11:12:09 +0100 Subject: [PATCH 4/5] Corrected hsts max age description --- src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs index cb82badc4a..eb4a3d4388 100644 --- a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs +++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs @@ -6,7 +6,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security [HealthCheck( "E2048C48-21C5-4BE1-A80B-8062162DF124", "Cookie hijacking and protocol downgrade attacks Protection (Strict-Transport-Security Header (HSTS))", - Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 100 days.", + Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 126 days.", Group = "Security")] public class HstsCheck : BaseHttpHeaderCheck { From 0a752c8985620b057cd2b1f495cf1542e1b722c6 Mon Sep 17 00:00:00 2001 From: Ollie Philpott Date: Wed, 8 May 2019 11:57:03 +0100 Subject: [PATCH 5/5] Updated hsts description from days to weeks --- src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs index eb4a3d4388..d0da243ced 100644 --- a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs +++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs @@ -6,7 +6,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security [HealthCheck( "E2048C48-21C5-4BE1-A80B-8062162DF124", "Cookie hijacking and protocol downgrade attacks Protection (Strict-Transport-Security Header (HSTS))", - Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 126 days.", + Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 18 weeks.", Group = "Security")] public class HstsCheck : BaseHttpHeaderCheck {