Quantcast

HTTP Strict Transport Security (HSTS)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTP Strict Transport Security (HSTS)

raupach
Hello group,

as an exercise I went ahead and extended the SslFilter with support for HTTP Strict Transport Security (HSTS).

At least I think I did. Not that familiar with the internals. I overrided the method postHandle in SslFilter to add the header. Is this the correct place? Or say the correct place in general to add headers in filters?

HTTP Strict Transport Security (HSTS) would be a nice addition for all the SSL only sites out there. I think in recent years more and more pages have gone full SSL, with good reasons to do so. It is a bit problematic with SslFilter since this one is path based. If you go HSTS then everything on the site uses https. This might break thinks if you have a path with ssl and one without. You can do that with shiro but not with HSTS.


Thanks in advance

/Björn
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTP Strict Transport Security (HSTS)

Brian Demers
Great! can you add a test and submit a PR ?

On Tue, Jan 10, 2017 at 4:25 AM, Björn Raupach <[hidden email]> wrote:
Hello group,

as an exercise I went ahead and extended the SslFilter with support for HTTP Strict Transport Security (HSTS).

At least I think I did. Not that familiar with the internals. I overrided the method postHandle in SslFilter to add the header. Is this the correct place? Or say the correct place in general to add headers in filters?

HTTP Strict Transport Security (HSTS) would be a nice addition for all the SSL only sites out there. I think in recent years more and more pages have gone full SSL, with good reasons to do so. It is a bit problematic with SslFilter since this one is path based. If you go HSTS then everything on the site uses https. This might break thinks if you have a path with ssl and one without. You can do that with shiro but not with HSTS.


Thanks in advance

/Björn

Loading...