COS website security is poor

Top Contributor

Hi,

 

Having had our COS website independently reviewed we have found that websites hosted on HubSpot infrastructure lack essential headers that are needed for helping protect the site and its visitors:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy

Has anyone else found how these can be improved? Are Hubspot working to increase the security of the COS?

13 Replies 13
Community Manager

Hey @ojobson I reached out directly to the COS product team with your query. Here is what they advised: 

 

The HubSpot COS is definitely secure and is constantly being monitored via it's integrated WAF and other monitoring services which protect HubSpot sites. HubSpot also has active and ongoing tests that are run against the COS (internal and 3rd party ) to detect potential security issues that could manifest on customer sites.

 

If you are still concerned, the best channel to reach out to as a paying COS customer is the Support Team who will be able to escalate this to the security team. They take every report and concern seriously and will be able to follow up with you directly. 

 

If you have any trouble getting in contact with the support team please let me know and I can create a ticket on your behalf. 

Top Contributor

Thanks for the updates - that's reassuring to know. One question, what is 'WAF'?

Reply
0 Upvotes
Community Manager

My apologies - WAF = Web Application Firewall

 

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. It can prevent attacks stemming from web application security flaws.

Reply
0 Upvotes
Top Contributor

Thanks - I hadn't seen the abbreviation before.

New Member

With respect, other security measures are no substitute for allowing these and other security headers to be added to sites hosted by HubSpot. For example, some of these headers can restrict what can be run in frames, or what can be run in our sites when those sites are including in frames elsewhere. There are many ways of attacking visitors to a site by clever use of frames. 

 

Making general claims about HubSpot's love for security does not address the growing need for enabling site owners to add more security headers to their sites. Additionally, a number of testing services that are used by businesses to track the security of firms they do business with are looking specifically at whether sites include the full suite of security headers. The results are similar to those you'll see when you test your site at https://securityheaders.com/. Our HubSpot-hosted site currently gets a D grade there.

Highlighted
Top Contributor

Yep, I entirley agree - I'm a little dissapointed they haven't made any moves so far to address this.

Regular Contributor

Agreed and replying here just to follow up on this.
I would love to see a way to access our servers to implement these asap if not through system settings directly. 

Occasional Contributor

This issue has just come up for me too. We will be applying for ISO 27001 and I would have thought HubSpot COS website would have passed all manner of testing without any problems.

 

This is very disappointing. Websites are run through a web-based tester and the results of that are what matters, not other strengths.

 

If we fail an audit due to this we will have to move away from HubSpot all together as our customers require this certification.

Occasional Contributor

Jumping in here to agree with prior posts - We would really benefit from to ability to send security headers, either out of the box or the ability to turn these on and tweak.

 

Its interesting that HubSpot websites do not send a Strict-Transport-Security header, or send one with max-age=0, but HubSpot's own HubSpot.com sends theirs with an appropriate age directive (360 days).

 

HubSpot's security policies are great I'm sure, and good news that they're making use of a WAF, etc to protect the platform. But how about a thought for the end users of these websites, too?

HubSpot Product Team

I know this is only part of this idea here, but you can now set a HTTP Strict-Transport-Security (HSTS) response header in the Content Settings user interface (per subdomain). This functionality requires you to reach out to Support to be un-gated for (for now). 

 

If you wish to set the (HSTS) header, please reach out to Support, and they can help you along!

Occasional Contributor

Just checking up on the progress of improvements here. I can appreciate the rollout of the configurable HSTS response header. Has there been any further movement or development on this topic?

Reply
0 Upvotes
Visitor

I'd like an official Hubspot reply about their failures to adhere to web best practice too, and the sooner the better so I can decide whether to move to a more security minded supplier. My regulators and auditors are very unhappy about our continued use of Hubspot since these weaknesses are being reported over and over again for years with no signs of any resolution - looks very bad.

Reply
0 Upvotes
Community Manager

Hi all,

 

Thank you for your feedback. I am here to help and ensure you get the information you need. For an update on this matter, I wanted to share this thread.

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes