751ffe123d
Summary: Ref T4340. The attack this prevents is: - An adversary penetrates your network. They acquire one of two capabilities: - Your server is either configured to accept both HTTP and HTTPS, and they acquire the capability to observe HTTP traffic. - Or your server is configured to accept only HTTPS, and they acquire the capability to control DNS or routing. In this case, they start a proxy server to expose your secure service over HTTP. - They send you a link to `http://secure.service.com` (note HTTP, not HTTPS!) - You click it since everything looks fine and the domain is correct, not noticing that the "s" is missing. - They read your traffic. This is similar to attacks where `https://good.service.com` is proxied to `https://good.sorvace.com` (i.e., a similar looking domain), but can be more dangerous -- for example, the browser will send (non-SSL-only) cookies and the attacker can write cookies. This header instructs browsers that they can never access the site over HTTP and must always use HTTPS, defusing this class of attack. Test Plan: - Configured HTTPS locally. - Accessed site over HTTP (got application redirect) and HTTPS. - Enabled HSTS. - Accessed site over HTTPS (to set HSTS). - Tore down HTTPS part of the server and tried to load the site over HTTP. Browser refused to load "http://" and automatically tried to load "https://". In another browser which had not received the "HSTS" header, loading over HTTP worked fine. - Brought the HTTPS server back up, things worked fine. - Turned off the HSTS config setting. - Loaded a page (to set HSTS with expires 0, diabling it). - Tore down the HTTPS part of the server again. - Tried to load HTTP. - Now it worked. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D11820 |
||
|---|---|---|
| bin | ||
| conf | ||
| externals | ||
| resources | ||
| scripts | ||
| src | ||
| support | ||
| webroot | ||
| .arcconfig | ||
| .arclint | ||
| .editorconfig | ||
| .gitignore | ||
| LICENSE | ||
| NOTICE | ||
| README.md | ||
Phabricator is an open source collection of web applications which help software companies build better software.
Phabricator includes applications for:
- reviewing and auditing source code;
- hosting and browsing repositories;
- assembling a party to venture forth;
- tracking bugs;
- managing projects;
- writing stuff down and reading it later;
- hiding stuff from coworkers; and
- also some other things.
You can learn more about the project (and find links to documentation and resources) at Phabricator.org
Phabricator is developed and maintained by Phacility. The first version of Phabricator was originally built at Facebook.
BUG REPORTS
Please update your install to HEAD before filing bug reports. Follow our bug reporting guide for complete instructions.
FEATURE REQUESTS
We're big fans of feature requests that state core problems, not just 'add this'. We've compiled a short guide to effective upstream requests here.
COMMUNITY CHAT
Please visit our IRC Channel (#phabricator on FreeNode) to talk with other members of the Phabricator community. There might be someone there who can help you with setup issues or what image to choose for a macro.
SECURITY ISSUES
Phabricator participates in HackerOne and may pay out for various issues reported there. You can find out more information on our HackerOne page.
PULL REQUESTS
We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide for more information.
LICENSE
Phabricator is released under the Apache 2.0 license except as otherwise noted.