HSTS check fail with Connect Security Requirements Tester (CSRT)

Thank you @BriceGestas . We managed to fix this via RequestsInterceptor

@Component
public class RequestsInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
            ModelAndView modelAndView) {
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

which is another way of implementing this header.

Kind Regards,
Philip

3 Likes

Hi @fkasapov ,

I have added your suggested code but it is not working. Could you check my code and kindly let me know if I am missing something.

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

@Component
public class RequestsInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
    	System.out.println("Testing 1---------------------------------------------------");
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
            ModelAndView modelAndView) {
    	System.out.println("Testing 2---------------------------------------------------");
        response.addHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

Hi @BriceGestas ,

I have added WebSecurityConfigurerAdapter solution and I can able to see HSTS header in response but after that I am not able to install app using “Upload App” option.

WebSecurityConfig Class:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   @Override
   protected void configure(HttpSecurity http) throws Exception {
   	
   	 http.headers()
        .httpStrictTransportSecurity()
            .includeSubDomains(true)
            .preload(true)
            .maxAgeInSeconds(31536000)
            .requestMatcher(r -> true);
   	 		
   	 http.headers().contentTypeOptions();
   	 http.headers().frameOptions().disable();
   	 http.headers().referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER);
   }
}

Kindly let me know if I am missing something in spring boot configuration or AWS.

PFA for details:


We are using Ratpack for our Connect App. We have a class that adds the security header on all requests. I can see it when testing manually, but the scanner is still failing. Could this also be a false positive issue with the scanner?

Hi @dchouksey89,
you have to register your handler, e.g.:

@Configuration
public class WebConfiguration implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new RequestsInterceptor());
    }

}