Jump to content

charles_h

Member
  • Posts

    4
  • Joined

  • Last visited

Posts posted by charles_h

  1. On 11/16/2020 at 3:54 PM, charles_h said:

    Site URL: https://www.havenconnect.com

    currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

    based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

    i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

    second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

    thanks!

    bumping this. can someone from squarespace please comment on this?

  2. Site URL: https://www.havenconnect.com

    currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

    based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

    i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

    second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

    thanks!

×
×
  • Create New...

Squarespace Webinars

Free online sessions where you’ll learn the basics and refine your Squarespace skills.

Hire a Designer

Stand out online with the help of an experienced designer or developer.