0

I have two webapps.

Both are used for testing in a reverse proxy scenario.

SAN certificate is used (Subject Alternative Name) for both.

1 allows adding a security exception, the other does not.

The one that allows has HSTS header only in one page add in the PHP code itself:

<?php header("strict-transport-security: max-age=600"); ?>

The other - no idea, I dont have access to the source code.

Possible reasons on why 1 can have an exception and the other can't would be very helpful to me. Thank you.

enter image description hereenter image description here

Mindaugas Bernatavičius
  • 324
  • 4
  • 12

1 Answers1

4

HSTS is used by the operator of a web server or web application as a better protection against man in the middle attacks. It tries this by addressing the following ways for man in the middle

  • Replacing HTTPS links with HTTP, i.e. sslstrip attack: The browser will not allow HTTP access to sites where it knows (from earlier visits) that this site enforces HTTPS.
  • SSL man in the middle with a fake certificate in the hope that the user will just add an exception to "get the free iPad" or whatever kind of social engineering is used: This is done by denying HSTS sites this exception.

Thus these restrictions are an explicit choice of the site operator to add better security even for the non-technical users.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Yea, but I can add an exception to one of the sites - the one here I controle the origin. I added them with: . Why can the behavior be different? ... I added this header only to 1 page of the site. – Mindaugas Bernatavičius Aug 16 '16 at 15:36
  • 1
    @MindaugasBernatavičius: it might be that the client did not see the HSTS header yet because it did not visit the page in question. Or it might be that your code is wrong and the header was not sent (i.e. calling header after sending other content). Once the client has seen this header for the site it should not allow any exceptions. – Steffen Ullrich Aug 16 '16 at 15:53
  • Thanks Steffen, so exceptions should never be allowed for any user-agent that respects the RFC for HSTS? Correct? .. I'm adding my code for reference (I really want to understand this and appreciate your help). This is the code: https://p.defau.lt/?OVrARCUELq5H2XlJtND9Vg ... let me know what else can I check. – Mindaugas Bernatavičius Aug 16 '16 at 19:08
  • 1
    @MindaugasBernatavičius: yes, see [RFC 6797, page 9](https://tools.ietf.org/html/rfc6797#page-9): *7. UAs need to prevent users from "clicking through" security warnings. Halting connection attempts in the face of secure transport exceptions is acceptable.* Apart from that the code looks ok for me, so maybe the client did not visit this specific page yet. – Steffen Ullrich Aug 16 '16 at 19:33