Non-secure HTTP requests can allow a man-in-the-middle attacker to intercept cleartext traffic between the user and the target server and/or redirect traffic. For example, the attacker could force the user to use HTTP and analyze the response from the server to gather sensitive information such as passwords or session tokens.

HTTP Strict Transport Security (HSTS) protects secure (HTTPS) websites from being downgraded to non-secure HTTP through the use of a special response header. This mechanism enables servers to instruct their clients (web browsers or other user agents) only to use secure HTTPS connections when interacting with the server, and never use the insecure HTTP protocol. This means that all connections are secure and cannot be intercepted or redirected by a third-party. Note that HSTS is not enforced and does not apply when you are using an untrusted SSL certificate.

There are three main ways in which users interact with PCF via a web browser:

• CF UAA Login: HSTS enabled for all versions.
• Apps Manager: Enabled HSTS in versions 1.12.13 and 2.0.0+
• Ops Manager interface: Enabled HSTS in version 1.12.0 and 2.0.0+. Ops Manager should only be used in secure, controlled environments such as within a corporate network.

Additionally, users often interact with the Cloud Controller API through the CF CLI (Cloud Foundry Command Line Interface). Cloud Controller currently accepts both HTTP and HTTPS connections on different ports, and we are currently working to disable HTTP connections.

All other HTTP connections in PCF are made from within the platform where internal components allow either HTTP or HTTPS - they do not allow both - and web browsers do not receive these connections. Thus, HSTS will not protect against someone intercepting HTTP traffic. Instead, we are working toward using the Transport Layer Security (TLS) protocol for all connections within the platform. Additionally, adding HSTS headers throughout the platform could cause connections to fail for the small number of components that currently only communicate over HTTP.