Forwarding URL fails security audits

Hey everyone;

We get weekly security scans from SecurityScoreCard, and all our forwarding URLs are impacting our score.
For example, we have a redirect from
https://mail.DOMAIN.com/ + http://mail.DOMAIN.com/ --> https://login.microsoftonline.com/

This gives us the following non-conformities:

  1. Does not implement X-XSS-Protection Best Practices
  2. Insecure HTTPS Redirect Pattern
  3. Does not implement HSTS Best Practices
  4. CSP Missing

I’ve searched the forums, and even though this has been raised before, it does not seem to provide an answer.

Is mail.DOMAIN.com set to :orange: on the DNS tab of the Cloudflare dashboard?
Have you set SSL Mode to Off on the SSL/TLS tab?
Is this redirect. done in a page rule?

Hey Michael, thanks for taking the time:

  1. Yes, we use the Cloudflare proxy/WAF.
  2. No, we use HSTS on subdomains.
  3. Yes, we use a page rule for the forward.

Just re-reading your original message I can see I misunderstood. I thought you were getting a redirect from https://mail --> http://mail --> https://microsoft

HSTS best practice recommends that you redirect http immediately to the same hostname on https. The easiest way to achieve this is by using the “Always Use HTTPS” option, and to explicitly target https://mail.example.com/* in your page rule.

(If SSL Mode is set Off, then Cloudflare will issue a https --> http redirect, which was my initial line of questioning.)

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.