Bug 2092304 - openshift: Strict Transport Security Not Enforced
Summary: openshift: Strict Transport Security Not Enforced
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: weakness
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2092305
Blocks: 2176332 2203267
TreeView+ depends on / blocked
 
Reported: 2022-06-01 09:13 UTC by lnacshon
Modified: 2023-07-11 22:53 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description lnacshon 2022-06-01 09:13:10 UTC 
It was found in OpenShift Container Platform, that multiple default Routes did not have HTTP Strict Transport Security (HSTS) enabled. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks and weakens cookie-hijacking protections.

HSTS can be configured on individual Routes, however default cluster Routes in OpenShift are managed by their respective operators which may revert HSTS changes.

To enable HSTS on a route, add the haproxy.router.openshift.io/hsts_header value to the edge terminated or re-encrypt route within the yaml configuration:
apiVersion: v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload


Affected URL(s):

https://oauth-openshift.apps.<cluster>.com/oauth/authorize
https://console-openshift-console.apps.<cluster>.com/
Comment 6 Sam Fowler 2023-03-08 00:23:01 UTC 
Exploitation of this requires some kind of Man-In-The-Middle (MITM) attack[0], hence a rating of Moderate.

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html#threats
Note You need to log in before you can comment on or make changes to this bug.