[Openid-specs-fapi] Issue #274: Require HSTS for authorization server (openid/fapi)
issues-reply at bitbucket.org
Wed Dec 18 14:50:33 UTC 2019
New issue 274: Require HSTS for authorization server
Discussion on today’s call mentioned that some analysis of FAPI assume that HTTP Strict Transport Security is enabled for the authorization server, to prevent some attacks like user’s clicking through warnings about invalid TLS certificates in some scenarios.
This isn’t mentioned in FAPI currently. Daniel mentioned he saw this as a basic web security. Dave checked several UK banks and it appeared it several hadn’t enabled HSTS.
We should probably add text to FAPI requiring HSTS. This should probably apply to clients as well?
More information about the Openid-specs-fapi