HSTS preloading

Regarding the risk of HTTP interception and getting a state-of-the-art configuration, it would be nice and more secure if you HSTS preload the whole bitwarden.com domain.
See https://hstspreload.org/ for more information.

Great idea, and it look easy to implement.

Woah, nice catch!

BW uses tons of great security headers, but I don’t understand why HSTS header is:

  1. set to 180 days???
  2. no includeSubdoimains?
  3. no preload???

Is there some resource on *.bitwarden.com that needs to be served with HTTP???

If not:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Even on the normal landing page (not just the vault subdomain)

1 Like

@kspearrin What do think about it?

preloading and subdomains is now set on bitwarden.com

1 Like