-
New Feature
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins enterprise 1.509.5.1
Missing HSTS header
Description:
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.
Issue Example:
Below is a server response with the missing HSTS header:
HTTP/1.1 200 OK
Date: Tue, 25 Mar 2014 09:40:06 GMT
Server: Winstone Servlet Engine v0.9.10
Expires: 0
Cache-Control: no-cache,must-revalidate
X-Hudson-Theme: default
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
X-Hudson: 1.395
X-Jenkins: 1.509.5.1 (Jenkins Enterprise by CloudBees 13.05)
X-Jenkins-Session: 8456547e
X-Hudson-CLI-Port: 46210
X-Jenkins-CLI-Port: 46210
X-Jenkins-CLI2-Port: 46210
X-SSH-Endpoint: 10.75.35.116:59696
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAufrFdr90ezSs51p3k56pEZ/57ErRzzF3jtp+FLU/f7M+84J6S35Y2NWo379t/sCTHCk/X/mUxy9ytx+lERSB1Vx4juXay/O+IaP2JrVD0NPQSrGmQo6ww/UzKkpZoAwRZFmHavm+dY0CtIuQkVD8M9BhaLLhtXzZipkEIM43Zj9gj04gP3kpsciu9U2jQ06sXWIJHdv9i51aa3iiW+kaFhmJea2KDI9h5trwOn8CqsTqAPfViubt4SrEhSrgklUnymJOAW8Auwy7he1B92nqf1k49Oi5XQ8amMFt8K3HCwxvQLE5rnp4gf4p+FaNYikqx5l10bPDAchMC9EnqdrxlwIDAQAB
Content-Length: 25927
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.414ae189=f714820873e51a11e4110cc582dab384; Path=/; HttpOnly
X-XSS-PROTECTION: 1; mode=block
Connection: close
Advice:
Set the HSTS header in the webserver.