Set HSTS headers on the Heroku Bugherder instance

NEW
Unassigned

Status

Tree Management
Bugherder
2 years ago
a year ago

People

(Reporter: emorley, Unassigned)

Tracking

(Blocks: 1 bug)

Details

(Reporter)

Description

2 years ago
Currently HSTS headers aren't set, which means anyone who hasn't bookmarked the HTTPS Bugherder (or have the redirect cached) could be man in the middle'd on a malicious network.

Options are to either add HSTS support to express-sslify (preferred) or else use the separate helmetjs hsts middleware.

I've filed an issue for express-sslify:
https://github.com/florianheinemann/express-sslify/issues/14

And the helmet hsts middleware can be found here:
https://github.com/helmetjs/hsts
(Reporter)

Updated

a year ago
Blocks: 1246672
You need to log in before you can comment on or make changes to this bug.