charles_h
-
Posts
4 -
Joined
-
Last visited
Reputation Activity
-
charles_h got a reaction from Kristina_Praxis in squarespace HSTS is broken -- can someone please fix?
Site URL: https://www.havenconnect.com
currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.
based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/
i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?
second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?
thanks!
-
charles_h reacted to paul2009 in squarespace HSTS is broken -- can someone please fix?
To be clear, HSTS isn't "broken" but Squarespace are not following security best practice either.
Squarespace made a compromise between security and ease of use because if max-age was increased, some users could inadvertently take their site down for several days by playing with the SSL settings.
I pointed out concerns with HSTS three years ago in 2016 but nothing has changed. [March 2021]
As you've probably guessed, there is nothing you can do to change the Squarespace settings. All you can do is to wrap another stronger security service around Squarespace.
This forum is not monitored for feature requests or reporting of issues, so if you (or others) would like Squarespace to consider changing the HSTS settings, you can provide feedback to Squarespace by opening a support ticket. Increasing awareness of this issue may help to get it changed.
-
charles_h got a reaction from prasand in squarespace HSTS is broken -- can someone please fix?
Site URL: https://www.havenconnect.com
currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.
based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/
i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?
second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?
thanks!
-
charles_h got a reaction from paul2009 in squarespace HSTS is broken -- can someone please fix?
Site URL: https://www.havenconnect.com
currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.
based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/
i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?
second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?
thanks!
