Hi,
is there a way to change the strict-transport-security when using a custom domain for status page?
Thanks,
Martin
Hi Martin,
There is no way to change the HTTP Strict-Transport-Security response header, as we do not provide direct access to it.
Hi,
can you please add this as a feature suggestion as lacking HSTS goes against best practice and does show up as an issue for SOC compliance.
//Cheers Henrik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @henrik_wejdmark ,
We have STATUS-596 logged for the ability to customize the Statuspage HSTS headers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's great that it's tracked, unfortunately STATUS-596 is not public so I can't see or watch it.
//Cheers Henrik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @henrik_wejdmark ,
The Statuspage project is not public at this time so none of the issues from that project are available. It is possible that the project may be made public at some point for easier tracking.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I understand you need to filter which issues you show publicly, but Statuspage shows plenty public issues, unfortunately not STATUS-596.
See: https://jira.atlassian.com/projects/STATUS/issues/STATUS-729?filter=allopenissues
//Cheers
Henrik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @henrik_wejdmark ,
You're right, I meant to say that the feature requests from Statuspage are not public, but the bugs are made public. Since STATUS-596 is a feature request, it wont show up until/unless there is a change to the visibility for feature requests.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @John M !
We just had this come up with one of our customers doing a security review of us as a vendor. Can you please add us/me as a customer on the feature request STATUS-596?
Thanks,
Eliot
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Eliot Cohen ,
Sure, we can do that, however we need to link it to a support ticket with your customer information. If you could please open a Statuspage support ticket here:
https://support.atlassian.com/contact/#/
And just state that you would like to be added to STATUS-596, we can get that taken care of for you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@John M we have same issue, low HSTS max age keeps showing up on our security review. Will be raising a ticket above mentioning that we need and are waiting on STATUS-596.
Just posting here as well in case something else is required.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @John M
I have a similar issue. Our site is getting flagged for HSTS max age and HSTS missing subdomain as the header reads "strict-transport-security: max-age=259200". Ideally what we are looking for is Strict-Transport-Security: max-age=31536000; includeSubDomains and preload if possible.
I can see that this issue has been open 2022 and current discussion from Feb 2024. This doesn't seems to be a very complex change. May I know why it is taking 10 months or more just to fix this as this seems to be a concern for many users for Atlassian .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I also will throw my hat in the ring as this issue is flagging our Status Page as being less than secure for SOC2 purposes. Please help!
Independent Validation via https://hstspreload.org/shows the asset does not adhere to HSTS best practices (Max-age directive is still shorter than best practices.)(Header is still missing includeSubDomains directive.). Please review https://support.securityscorecard.com/hc/en-us/articles/360058576372-Website-Does-Not-Implement-HSTS-Best-Practices.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.