Hi All, I've noticed that mobile.facebook.com domain is not on HSTS preload list or sending the Strict-Transport-Security header. All the others domains like m.facebook.com is using HSTS properly. I reported this to Facebook on 12/3/15 through the whitehat program and got the answer below. I've checked again today and it still not using HSTS. Not sure why Facebook is not protecting this domain with HSTS. Hi Ricardo, Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have. Thanks, Angelo Security Facebook
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment