Summary
The nginx/nginx.conf currently handles SPA routing but does not set a Strict-Transport-Security (HSTS) header. Without HSTS, browsers may downgrade HTTPS connections to HTTP on subsequent visits, exposing users to man-in-the-middle attacks.
Note: #624 tracks adding CSP and X-Frame-Options headers; HSTS is a complementary but distinct control.
Severity: MEDIUM
Remediation
Add the following to the server block in nginx/nginx.conf:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Also consider adding:
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
References
Summary
The
nginx/nginx.confcurrently handles SPA routing but does not set aStrict-Transport-Security(HSTS) header. Without HSTS, browsers may downgrade HTTPS connections to HTTP on subsequent visits, exposing users to man-in-the-middle attacks.Note: #624 tracks adding CSP and X-Frame-Options headers; HSTS is a complementary but distinct control.
Severity: MEDIUM
Remediation
Add the following to the
serverblock innginx/nginx.conf:Also consider adding:
References