Regarding the risk of HTTP interception and getting a state-of-the-art configuration, it would be nice and more secure if you HSTS preload the whole bitwarden.com domain.
See https://hstspreload.org/ for more information.
Great idea, and it look easy to implement.
Woah, nice catch!
BW uses tons of great security headers, but I don’t understand why HSTS header is:
- set to 180 days???
- no includeSubdoimains?
- no preload???
Is there some resource on *.bitwarden.com that needs to be served with HTTP???
If not:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Even on the normal landing page (not just the vault subdomain)
1 Like