Forwarding URL fails security audits

emilk · November 26, 2020, 9:00am

Hey everyone;

We get weekly security scans from SecurityScoreCard, and all our forwarding URLs are impacting our score.
For example, we have a redirect from
https://mail.DOMAIN.com/ + http://mail.DOMAIN.com/ --> https://login.microsoftonline.com/

This gives us the following non-conformities:

Does not implement X-XSS-Protection Best Practices
Insecure HTTPS Redirect Pattern
Does not implement HSTS Best Practices
CSP Missing

I’ve searched the forums, and even though this has been raised before, it does not seem to provide an answer.

michael · November 26, 2020, 12:49pm

Is mail.DOMAIN.com set to on the DNS tab of the Cloudflare dashboard?
Have you set SSL Mode to Off on the SSL/TLS tab?
Is this redirect. done in a page rule?

emilk · November 26, 2020, 2:18pm

Hey Michael, thanks for taking the time:

Yes, we use the Cloudflare proxy/WAF.
No, we use HSTS on subdomains.
Yes, we use a page rule for the forward.

michael · November 26, 2020, 3:56pm

Just re-reading your original message I can see I misunderstood. I thought you were getting a redirect from https://mail --> http://mail --> https://microsoft

HSTS best practice recommends that you redirect http immediately to the same hostname on https. The easiest way to achieve this is by using the “Always Use HTTPS” option, and to explicitly target https://mail.example.com/* in your page rule.

(If SSL Mode is set Off, then Cloudflare will issue a https --> http redirect, which was my initial line of questioning.)

system · December 26, 2020, 9:00am

This topic was automatically closed after 30 days. New replies are no longer allowed.