3

I'm investigating an issue where our static content (js, css) is deployed in AWS Cloudfront under a subdomain of our main website and doesn't have HSTS enabled. The main domain does have HSTS enabled however.

Presuming our content in our main website is forced to run over https and modern browsers won't allow http content to load when the main domain is https. None of our main content will ever run on http. What risks still exist?

My understanding is there wouldn't be any (unless there was some legacy browser in use).

I'm mostly worried about a MITM style attack where the Javascript content was intercepted as http and modified to introduce some sort of payload. But this seems impossible under the circumstances as the browser would reject it anyway as http?

Thanks in advance.

Cyassin
  • 503
  • 2
  • 6
  • 12
  • Does HSTS on the main domain have `includeSubDomains`? Are the resources on the subdomain ever used from other domains? – AndrolGenhald Mar 07 '19 at 14:30
  • The main domain is a subdomain itself, so as far as I am aware the includeSubDomains wouldn't work. The resources on the subdomain are only designed for the main domain, but being public static content anyone could theoretically use it, but should that be our concern? – Cyassin Mar 08 '19 at 03:41

0 Answers0