Hi there! We are currently using Playfab on our Unity based games, and during a Pentest, we had an issue with our calls to https://ade31.playfabapi.com
Specifically, lack or misconfiguration on these headers:
HTTP Strict Transport Security (HSTS), Cache-control, Control-Security-Policy
Do you have any insights on these? Roadmap? Plans to remediate?
PlayFab Rest Api don’t need the header you mentioned. You can find the required header in every Api’s document.
It is not a matter of Playfab API needing the headers..
Playfab API is considered insecure without them, as they provide means to guarantee that the service provided is legit, the content is controlled, etc.
It is we, the consumers, who need the API to expose proper headers.
Question remains, is there any roadmap? Remediation or plan for this?
Reference for security headers: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security https://en.wikipedia.org/wiki/Content_Security_Policy
I’m not sure whether these policies should be included in the PlayFab Api but from the document, it seems these policies are to protect websites that uses web browser. PlayFab Api is Rest Api that uses HTTPS protocol to ensure secure communication between your application and PlayFab servers.
2 People are following this question.
