It was found in OpenShift Container Platform, that multiple default Routes did not have HTTP Strict Transport Security (HSTS) enabled. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks and weakens cookie-hijacking protections.
HSTS can be configured on individual Routes, however default cluster Routes in OpenShift are managed by their respective operators which may revert HSTS changes.
To enable HSTS on a route, add the haproxy.router.openshift.io/hsts_header value to the edge terminated or re-encrypt route within the yaml configuration:
apiVersion: v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload
Affected URL(s):
https://oauth-openshift.apps.<cluster>.com/oauth/authorize
https://console-openshift-console.apps.<cluster>.com/
It was found in OpenShift Container Platform, that multiple default Routes did not have HTTP Strict Transport Security (HSTS) enabled. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks and weakens cookie-hijacking protections. HSTS can be configured on individual Routes, however default cluster Routes in OpenShift are managed by their respective operators which may revert HSTS changes. To enable HSTS on a route, add the haproxy.router.openshift.io/hsts_header value to the edge terminated or re-encrypt route within the yaml configuration: apiVersion: v1 kind: Route metadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload Affected URL(s): https://oauth-openshift.apps.<cluster>.com/oauth/authorize https://console-openshift-console.apps.<cluster>.com/