Skip to content

Commit 532fdca

Browse files
Karl Kemister-SheppardKarl Kemister-Sheppard
Karl Kemister-Sheppard
authored and
Karl Kemister-Sheppard
committed
SEC-281: Add awareness of HSTS to secutiry.adoc for strict transport security.
1 parent de0dd33 commit 532fdca

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

modules/ROOT/pages/security.adoc

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,21 @@ SVGs (Scalable Vector Graphics) are not supported in {productname} to protect ou
5555

5656
From the 1st of January 2020, Security Advisories for patched XSS vulnerabilities will be published on the https://github.com/tinymce/tinymce/security/advisories?state=published[{productname} GitHub repository Security page].
5757

58+
[[enforcing-https-with-hsts]]
59+
=== Enforcing HTTPS with HSTS
60+
61+
The {companyname} security team strongly recommends that customers embedding {productname} configure their web servers to include the HTTP Strict Transport Security (HSTS) header for websites served over HTTPS. This can be achieved by updating the server configurations to enable HSTS.
62+
63+
HSTS ensures that encrypted communications are exclusively used, mitigates downgrade attacks, and enhances the protection of user data. While integrating HSTS is optional for {productname}, adopting this best practice significantly reduces the risk of vulnerabilities in projects utilizing {productname}.
64+
65+
[IMPORTANT]
66+
Without HSTS, users accessing a website may be vulnerable to man-in-the-middle (MITM) attacks. Attackers can exploit this vulnerability by intercepting unencrypted HTTP traffic, redirecting users to malicious sites, or executing downgrade attacks to force connections over HTTP instead of HTTPS. This lack of encryption jeopardizes sensitive user data, including credentials, session cookies, and personal information. By enabling HSTS, these risks are effectively mitigated, as the browser enforces secure HTTPS connections for all future interactions with the site.
67+
68+
For comprehensive guidance on implementing HSTS, refer to the following resources:
69+
70+
* link:https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html[OWASP HSTS Cheat Sheet]
71+
* link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[MDN Documentation on HSTS]
72+
5873
[[keeping-dependencies-up-to-date]]
5974
=== Keeping dependencies up-to-date
6075

0 commit comments

Comments
 (0)