Feature #12296
openAdd HSTS enforcement support to Redmine
0%
Description
During initial HTTPS session setup an attacker is able to run a MitM SSLStrip attack agains a client connecting to the webserver replacing any https:// links with http:// ones. This problem has been demonstrated by Moxie Marlinspike on BlackHat in 2009 and there exists an IETF draft for an appropriate HTTPS Header that can alleviate this problem. Basically if you have ever visited a site via https before from a 'secure' environment, the site can tell you to always use https in the future for a given amount of time.
Except for IE, browsers already implement the required functionality and it would be really nice to have it also in Redmine. AFAIK all it takes is add some small lines to the part that handles connections - wikipedia provides the general layout for a RoR Application.
Though I think that one could also enforce this on a more global level, e.g. configuring the webserver running the application, it would be nice to make this a (configurable?) feature inside the application to further secure the use of ssl.