Jump to content

squarespace HSTS is broken -- can someone please fix?

Recommended Posts

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!

Link to comment
  • 3 months later...
On 11/16/2020 at 3:54 PM, charles_h said:

Site URL: https://www.havenconnect.com

currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more.

based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/

i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS?

second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when?

thanks!

bumping this. can someone from squarespace please comment on this?

Link to comment

I second this. Was doing security scanning on my deployed website and received warnings that the "max-age" was being flagged with a warning that it's too short.

I'm using the popular security scanner, SSL Labs' SSL Server Test:

https://www.ssllabs.com/ssltest/index.html

Link to comment

To be clear, HSTS isn't "broken" but Squarespace are not following security best practice either. 

Squarespace made a compromise between security and ease of use because if max-age was increased, some users could inadvertently take their site down for several days by playing with the SSL settings.

I pointed out concerns with HSTS three years ago in 2016 but nothing has changed. [March 2021]

As you've probably guessed, there is nothing you can do to change the Squarespace settings. All you can do is to wrap another stronger security service around Squarespace. 

Quote

“The HSTS implementation could also be improved. Squarespace made Secure Sockets (SSL) universally available in October 2016 but some aspects of this are not as secure as they could be. Increasing the HSTS Max-Age setting (or allowing us to configure it) would improve this significantly in the eyes of security professionals.”

This forum is not monitored for feature requests or reporting of issues, so if you (or others) would like Squarespace to consider changing the HSTS settings, you can provide feedback to Squarespace by opening a support ticket. Increasing awareness of this issue may help to get it changed. 

Edited by paul2009
added link to support

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment
  • 6 months later...
3 minutes ago, Kristina_Praxis said:

We have this exact same problem.

Please describe your issue, and include a working link to the site.

Edited by paul2009

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment
3 hours ago, Kristina_Praxis said:

Specifically, our security department scans said that our Squarespace site is not following HSTS security best practices because we do not include HSTS attributes to include "max-age=31536000; includeSubDomains;"

I agree, Squarespace do not follow security best practice for HSTS, but there is nothing you can do about the Squarespace settings. These are controlled by Squarespace and can only be changed if Squarespace choose to change them. 

If you require more secure settings then you'll need to host your DNS on a third party service that can act as a reverse proxy and enforce stricter SSL settings. For example, Cloudflare.

 

For the benefit of anyone else who is reading this thread, HSTS (HTTP Strict Transport Security) is a web security policy technology designed to help keep web servers secure against 'downgrade' attacks. HSTS causes browsers to strictly enforce web security practices and can prevent attackers redirecting visitors' browsers from your site to a different, lower security site that they control. The HSTS max-age parameter tells browsers how long to continue to enforce policy even if the site changes.

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment
  • 7 months later...
37 minutes ago, Darsey123 said:

Does this new HSTS setting solve it?

Which new HSTS setting are you referring to? There has always been an option to enable HSTS but you cannot set the HSTS max-age value, which is the issue. 

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment
  • 3 weeks later...

A year and a half later and nothing. This is easy to fix and will improve security and SEO for every user. It's free real estate!
If at least Squarespace worked with Cloudflare proxying the DNS records, this wouldn't be such a problem.

Edited by Dher
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

×
×
  • Create New...

Squarespace Webinars

Free online sessions where you’ll learn the basics and refine your Squarespace skills.

Hire a Designer

Stand out online with the help of an experienced designer or developer.