Full Disclosure mailing list archives

mobile.facebook.com is not on HSTS preload list or sending the Strict-Transport-Security header

From: Ricardo Iramar dos Santos <riramar () gmail com>
Date: Wed, 20 Jan 2016 11:24:02 -0200

Hi All,

I've noticed that mobile.facebook.com domain is not on HSTS preload
list or sending the Strict-Transport-Security header. All the others
domains like m.facebook.com is using HSTS properly.
I reported this to Facebook on 12/3/15 through the whitehat program
and got the answer below. I've checked again today and it still not
using HSTS. Not sure why Facebook is not protecting this domain with
HSTS.

   Hi Ricardo,
   Thank you for sharing this information with us. Although this issue
does not qualify as a part of our bounty program we appreciate your
report. We will follow up with you on any security bugs or with any
further questions we may have.
   Thanks,

   Angelo
   Security
   Facebook

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

mobile.facebook.com is not on HSTS preload list or sending the Strict-Transport-Security header Ricardo Iramar dos Santos (Jan 20)