HSTS check fail with Connect Security Requirements Tester (CSRT)

fkasapov · May 19, 2021, 7:11am

Thank you @BriceGestas . We managed to fix this via RequestsInterceptor

@Component
public class RequestsInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
            ModelAndView modelAndView) {
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

which is another way of implementing this header.

Kind Regards,
Philip

dchouksey89 · June 2, 2021, 1:26pm

Hi @fkasapov ,

I have added your suggested code but it is not working. Could you check my code and kindly let me know if I am missing something.

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

@Component
public class RequestsInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
    	System.out.println("Testing 1---------------------------------------------------");
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
            ModelAndView modelAndView) {
    	System.out.println("Testing 2---------------------------------------------------");
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

dchouksey89 · June 2, 2021, 2:21pm

Hi @BriceGestas ,

I have added WebSecurityConfigurerAdapter solution and I can able to see HSTS header in response but after that I am not able to install app using “Upload App” option.

WebSecurityConfig Class:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   @Override
   protected void configure(HttpSecurity http) throws Exception {
   	
   	 http.headers()
        .httpStrictTransportSecurity()
            .includeSubDomains(true)
            .preload(true)
            .maxAgeInSeconds(31536000)
            .requestMatcher(r -> true);
   	 		
   	 http.headers().contentTypeOptions();
   	 http.headers().frameOptions().disable();
   	 http.headers().referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER);
   }
}

Kindly let me know if I am missing something in spring boot configuration or AWS.

PFA for details:

RomyGreenfield · June 11, 2021, 11:00am

We are using Ratpack for our Connect App. We have a class that adds the security header on all requests. I can see it when testing manually, but the scanner is still failing. Could this also be a false positive issue with the scanner?

t.bundt · July 30, 2021, 12:38pm

Hi @dchouksey89,
you have to register your handler, e.g.:

@Configuration
public class WebConfiguration implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new RequestsInterceptor());
    }

}

KhilendraSahu · February 5, 2022, 5:16am

Hi [dchouksey89],

I have same issues got and solved.
In my case HSTS is exists in response header when call all api request but when plugin loaded first time in Atlassian that time HSTS header is missed because first time only loaded ui through servlet.
Now I have added HSTS header here and issue solved.

response.setHeader(“Strict-Transport-Security”, “max-age=31536000; includeSubDomains; preload”);

You can also check if this types of issues you have.

Thanks