charles_h
-
Posts
4 -
Joined
-
Last visited
Content Type
Forums
Downloads
Store
Events
Blogs
Gallery
Profiles
Posts posted by charles_h
-
-
Site URL: https://www.havenconnect.com
currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.
based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/
i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?
second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?
thanks!
- paul2009, prasand and Kristina_Praxis
- 3
squarespace HSTS is broken -- can someone please fix?
in Customize with code
Posted
bumping this. can someone from squarespace please comment on this?