Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Advanced Search
  • 0

squarespace HSTS is broken -- can someone please fix?


charles_h

Question

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!

Link to comment

3 answers to this question

Recommended Posts

  • 0
On 11/16/2020 at 3:54 PM, charles_h said:

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!

bumping this. can someone from squarespace please comment on this?

Link to comment
  • 0

I second this. Was doing security scanning on my deployed website and received warnings that the "max-age" was being flagged with a warning that it's too short.

I'm using the popular security scanner, SSL Labs' SSL Server Test:

https://www.ssllabs.com/ssltest/index.html

Link to comment
  • 0

I pointed out the max-age issue three years ago (see below) but nothing has changed. Presumably because they’ve made a compromise between security and ease of use. If max-age was increased, some users could inadvertently take their site down for several days by playing with the SSL settings. 

Quote

“The HSTS implementation could also be improved. Squarespace made Secure Sockets (SSL) universally available in October 2016 but some aspects of this are not as secure as they could be. Increasing the HSTS Max-Age setting (or allowing us to configure it) would improve this significantly in the eyes of security professionals.”

This forum is not monitored for requests, but you (and others) can provide feedback to Squarespace by opening a support ticket. Increasing awareness of this issue may help to get it changed. 

sf-digital-signature-logo-email145.png.46606a2288a2847f44d81b9b7b58f3a5.png
Hi! I'm Paul, an independent Squarespace Consultant since 2007 and founder of SF Digital, building the features that Squarespace didn't include. Our mini-extensions allow you to pick dates in any format, show prices in other currencies, take orders without payment or improve your cartI value honesty, integrity, transparency and respect . Links in my posts may refer to SF Digital products or may be affiliate links.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

×
×
  • Create New...