Missing HTTP Strict-Transport-Security Headers

[sveeke]

The web servers for badgr-dev2.edubadges.nl do not respond with an HTTP Strict-Transport-Security header. This means there isn't a Strict Transport Security policy in place.

[sveeke]

threatLevel=Low type=Missing HTTP Header

The HTTP Strict Transport Security policy defines a timeframe where a
browser must connect to the web server via HTTPS. Connections using HTTP are
not allowed, which means that the user is protected against security
downgrade attacks.

Note the output in the sample request does not show a HSTS header:

POST /api-auth/token HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: https://surf-dev2.edubadges.nl/auth/login
Content-Length: 58
Origin: https://surf-dev2.edubadges.nl
Connection: close

username=stefanpentest%2Bteacher%40gmail.com&password=test

HTTP/1.1 400 Bad Request
Server: nginx/1.12.2
Date: Thu, 07 Jun 2018 01:18:13 GMT
Content-Type: application/json
Connection: close
Vary: Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: POST, OPTIONS
Content-Length: 68

{"non_field_errors":["Unable to log in with provided credentials."]}

impact:
An attacker could trick the user into using the insecure version of the
site, or a man-in-the-middle attacker could redirect traffic from the secure
version to the insecure version. An attacker then could eavesdrop on the
connection and obtain sensitive data.

recommendation:
Make sure to set proper HTTP Strict-Transport-Security headers for all
web servers that should send out content over HTTPS only.

[sveeke]

I'll do this one when building the new pilot environment.