<-- Back

HTTP Strict Transport Security (HSTS) Response Header

Issue

Many penetration tests or security scans of applications hosted on Mendix Cloud contain findings/possible vulnerabilities related to the HTTP Strict Transport Security (HSTS) response header. The three flags that generally raise a finding in this header are the following:

  • max-age=31536000
  • includeSubDomains
  • preload

The HSTS header prevents any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Environment

Applications hosted in Mendix Cloud

Solution/Workaround

The HSTS header is set automatically for applications hosted in Mendix Cloud with the max-age=31536000 flag.

The includeSubDomains flag is an option in the HTTP Strict Transport Security (HSTS) header, which, when enabled, applies the HSTS policy to all subdomains of the domain that sets the header.
While generally recommended for broad protection, there are specific reasons why Mendix has chosen not to include the includeSubDomains flag in the Mendix Public Cloud.

The main reason for not including the includeSubDomains flag is the fact that Mendix enforces HTTPS on the server side, by implementing redirection rules to automatically redirect HTTP requests to HTTPS for all domains that are configured in the Mendix Public Cloud.

Enabling the includeSubDomains flag for all domains could have several negative side effects for Custom Domains configured in our Mendix Public Cloud. By enabling this flag, we would dictate a security policy for subdomains, which are beyond our control. Some of these subdomains might be running legacy systems or services that do not support HTTPS. Enforcing HSTS by Mendix on these subdomains could break functionality or access to these services.
If such a subdomain is accidentally included in the HSTS policy and later found to be incompatible with HTTPS, it can lead to users being locked out from accessing that subdomain. Recovery from such a situation can be difficult, especially given the long cache duration of HSTS policies.

Furthermore, Google maintains an HSTS preload service. This is a list of sites that are hardcoded into Chrome as being HTTPS only. Setting the preload flag can have permanent consequences and prevent users from accessing your site and any of its subdomains if a need arises to switch back to HTTP (this can take months to reach users). The preload flag can only be enabled if the includeSubDomains flag is enabled, thus the preload flag cannot be activated for apps hosted in Mendix Cloud.

Internal information related

  • 224674, 217647, 217424, 221045, 211843, 205923, 217647, 217424, 177075
  • DEP-5917
  • C1H3QALCX/p1723465847529019, CA82XPUQG/p1716299781932029, CUUNVHS9M/p1713256095895489

Additional information 

Mendix documentation:

Other documentation:

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.