[Openid-specs-fapi] Issue #274: Require HSTS for authorization server (openid/fapi)

josephheenan issues-reply at bitbucket.org
Wed Dec 18 14:50:33 UTC 2019

New issue 274: Require HSTS for authorization server

Joseph Heenan:

Discussion on today’s call mentioned that some analysis of FAPI assume that HTTP Strict Transport Security is enabled for the authorization server, to prevent some attacks like user’s clicking through warnings about invalid TLS certificates in some scenarios.

This isn’t mentioned in FAPI currently. Daniel mentioned he saw this as a basic web security. Dave checked several UK banks and it appeared it several hadn’t enabled HSTS.

We should probably add text to FAPI requiring HSTS. This should probably apply to clients as well?

More information about the Openid-specs-fapi mailing list