|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (27 fixed, 15 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (28 fixed, 14 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1957,6 +1957,19 @@
|
|
|
- **Risk:** Informational. Operators who want HSTS preload need to
|
|
|
add the directive.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. Both Caddyfiles now read the HSTS header value
|
|
|
+ from a new `HSTS_HEADER` env var with the previous value
|
|
|
+ (`max-age=31536000; includeSubDomains`) as the default, so
|
|
|
+ operators who want to submit to https://hstspreload.org/ can opt
|
|
|
+ in by setting `HSTS_HEADER="max-age=31536000; includeSubDomains;
|
|
|
+ preload"` in their environment without patching the Caddyfile.
|
|
|
+ We deliberately don't enable `preload` by default: preload-listing
|
|
|
+ is a one-way commitment — browser preload removals take months —
|
|
|
+ and the M01 default is "operator runs the bundled compose stack
|
|
|
+ on a hostname they may want to retire". The `.env.example`
|
|
|
+ documents the override syntax with the SEC_REVIEW F60 reference.
|
|
|
+ Caddyfile syntax validated with `frankenphp validate --adapter
|
|
|
+ caddyfile` on both files; both report "Valid configuration".
|
|
|
|
|
|
### F61 — Caddy `Permissions-Policy` minimal
|
|
|
- **Files:** `ui/docker/Caddyfile:24`, `api/docker/Caddyfile:30`
|
chiappa