Full Disclosure mailing list archives

By Date By Thread mobile.facebook.com is not on HSTS preload list or sending the Strict-Transport-Security header From: Ricardo Iramar dos Santos <riramar () gmail com>

Date: Wed, 20 Jan 2016 11:24:02 -0200

Hi All, I've noticed that mobile.facebook.com domain is not on HSTS preload list or sending the Strict-Transport-Security header. All the others domains like m.facebook.com is using HSTS properly. I reported this to Facebook on 12/3/15 through the whitehat program and got the answer below. I've checked again today and it still not using HSTS. Not sure why Facebook is not protecting this domain with HSTS. Hi Ricardo, Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have. Thanks, Angelo Security Facebook _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: mobile.facebook.com is not on HSTS preload list or sending the Strict-Transport-Security header Ricardo Iramar dos Santos (Jan 20)