[squarespace HSTS is broken -- can someone please fix?]

On 11/16/2020 at 3:54 PM, charles_h said:

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!

bumping this. can someone from squarespace please comment on this?

[squarespace HSTS is broken -- can someone please fix?]

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!