charles_h Posted November 16, 2020 Share Posted November 16, 2020 Site URL: https://www.havenconnect.com currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more. based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/ i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS? second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when? thanks! Kristina_Praxis, paul2009 and prasand 3 Link to comment
charles_h Posted March 5, 2021 Author Share Posted March 5, 2021 On 11/16/2020 at 3:54 PM, charles_h said: Site URL: https://www.havenconnect.com currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more. based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/ i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS? second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when? thanks! bumping this. can someone from squarespace please comment on this? Link to comment
prasand Posted March 6, 2021 Share Posted March 6, 2021 I second this. Was doing security scanning on my deployed website and received warnings that the "max-age" was being flagged with a warning that it's too short. I'm using the popular security scanner, SSL Labs' SSL Server Test: https://www.ssllabs.com/ssltest/index.html Link to comment
paul2009 Posted March 6, 2021 Share Posted March 6, 2021 (edited) To be clear, HSTS isn't "broken" but Squarespace are not following security best practice either. Squarespace made a compromise between security and ease of use because if max-age was increased, some users could inadvertently take their site down for several days by playing with the SSL settings. I pointed out concerns with HSTS three years ago in 2016 but nothing has changed. [March 2021] As you've probably guessed, there is nothing you can do to change the Squarespace settings. All you can do is to wrap another stronger security service around Squarespace. Quote “The HSTS implementation could also be improved. Squarespace made Secure Sockets (SSL) universally available in October 2016 but some aspects of this are not as secure as they could be. Increasing the HSTS Max-Age setting (or allowing us to configure it) would improve this significantly in the eyes of security professionals.” This forum is not monitored for feature requests or reporting of issues, so if you (or others) would like Squarespace to consider changing the HSTS settings, you can provide feedback to Squarespace by opening a support ticket. Increasing awareness of this issue may help to get it changed. Edited September 10, 2021 by paul2009 added link to support Jasperica, ASFlooring, charles_h and 1 other 4 About me: I've been a SQSP User for 18 yrs. I was invited to join the Circle when it launched in 2016. I have been a Circle Leader since 2017. I don't work for Squarespace. I value honesty, transparency, diversity and good design ♥. Work: I founded and run SF.DIGITAL, building Squarespace Extensions to supercharge your commerce website. Content: Views and opinions are my own. Links in my posts may refer to SF.DIGITAL products or may be affiliate links. Forum advice is free. You can thank me by clicking one of the feedback emojis below. Coffee is optional. Link to comment
Kristina_Praxis Posted September 10, 2021 Share Posted September 10, 2021 We have this exact same problem and were told by Squarespace support that we should create custom code within out site to handle this, but also that we run the risk that this custom code "could" cause future incompatibilities. Has anyone done this? Link to comment
paul2009 Posted September 10, 2021 Share Posted September 10, 2021 (edited) 3 minutes ago, Kristina_Praxis said: We have this exact same problem. Please describe your issue, and include a working link to the site. Edited September 10, 2021 by paul2009 About me: I've been a SQSP User for 18 yrs. I was invited to join the Circle when it launched in 2016. I have been a Circle Leader since 2017. I don't work for Squarespace. I value honesty, transparency, diversity and good design ♥. Work: I founded and run SF.DIGITAL, building Squarespace Extensions to supercharge your commerce website. Content: Views and opinions are my own. Links in my posts may refer to SF.DIGITAL products or may be affiliate links. Forum advice is free. You can thank me by clicking one of the feedback emojis below. Coffee is optional. Link to comment
Kristina_Praxis Posted September 10, 2021 Share Posted September 10, 2021 The issue specifically is that we need to add a HSTS derivative for max-age and includeSubDomain. Specifically, our security department scans said that our Squarespace site (www.praxiseng.com) is not following HSTS security best practices because we do not include HSTS attributes to include "max-age=31536000; includeSubDomains;". Link to comment
paul2009 Posted September 10, 2021 Share Posted September 10, 2021 3 hours ago, Kristina_Praxis said: Specifically, our security department scans said that our Squarespace site is not following HSTS security best practices because we do not include HSTS attributes to include "max-age=31536000; includeSubDomains;" I agree, Squarespace do not follow security best practice for HSTS, but there is nothing you can do about the Squarespace settings. These are controlled by Squarespace and can only be changed if Squarespace choose to change them. If you require more secure settings then you'll need to host your DNS on a third party service that can act as a reverse proxy and enforce stricter SSL settings. For example, Cloudflare. For the benefit of anyone else who is reading this thread, HSTS (HTTP Strict Transport Security) is a web security policy technology designed to help keep web servers secure against 'downgrade' attacks. HSTS causes browsers to strictly enforce web security practices and can prevent attackers redirecting visitors' browsers from your site to a different, lower security site that they control. The HSTS max-age parameter tells browsers how long to continue to enforce policy even if the site changes. creedon 1 About me: I've been a SQSP User for 18 yrs. I was invited to join the Circle when it launched in 2016. I have been a Circle Leader since 2017. I don't work for Squarespace. I value honesty, transparency, diversity and good design ♥. Work: I founded and run SF.DIGITAL, building Squarespace Extensions to supercharge your commerce website. Content: Views and opinions are my own. Links in my posts may refer to SF.DIGITAL products or may be affiliate links. Forum advice is free. You can thank me by clicking one of the feedback emojis below. Coffee is optional. Link to comment
Darsey123 Posted May 3, 2022 Share Posted May 3, 2022 https://support.squarespace.com/hc/en-us/articles/205815898?_ga=2.100865606.635741476.1651605725-1365167969.1651605725 Does this new HSTS setting solve it? Link to comment
paul2009 Posted May 3, 2022 Share Posted May 3, 2022 37 minutes ago, Darsey123 said: Does this new HSTS setting solve it? Which new HSTS setting are you referring to? There has always been an option to enable HSTS but you cannot set the HSTS max-age value, which is the issue. About me: I've been a SQSP User for 18 yrs. I was invited to join the Circle when it launched in 2016. I have been a Circle Leader since 2017. I don't work for Squarespace. I value honesty, transparency, diversity and good design ♥. Work: I founded and run SF.DIGITAL, building Squarespace Extensions to supercharge your commerce website. Content: Views and opinions are my own. Links in my posts may refer to SF.DIGITAL products or may be affiliate links. Forum advice is free. You can thank me by clicking one of the feedback emojis below. Coffee is optional. Link to comment
Darsey123 Posted May 3, 2022 Share Posted May 3, 2022 Ohhh, I see. Thx for the clarity. Link to comment
Dher Posted May 23, 2022 Share Posted May 23, 2022 (edited) A year and a half later and nothing. This is easy to fix and will improve security and SEO for every user. It's free real estate! If at least Squarespace worked with Cloudflare proxying the DNS records, this wouldn't be such a problem. Edited May 23, 2022 by Dher Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment