[ 
https://issues.apache.org/jira/browse/KNOX-3111?focusedWorklogId=962711&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-962711
 ]

ASF GitHub Bot logged work on KNOX-3111:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Mar/25 10:03
            Start Date: 20/Mar/25 10:03
    Worklog Time Spent: 10m 
      Work Description: hanicz opened a new pull request, #1007:
URL: https://github.com/apache/knox/pull/1007

   ## What changes were proposed in this pull request?
   
   This PR introduces the ability to enable `Strict-Transport-Security` header 
globally for all responses (even 404). Currently there is a topology wide 
configuration in the WebAppSec provider. The users now can enable it for only 
specific topologies or globally as well. If both is enabled and there is a 
request for that specific topology the WebAppSec configuration will take 
precedence. 
   
   To enable the global configuration the below is required in the 
gateway-site.xml configuration file. The `option` config is optional, the 
default value is `max-age=31536000` (Its the same for the WebAppSec provider as 
well).
   
   ```
   <property>
       <name>gateway.strict.transport.enabled</name>
       <value>true</value>
   </property>
   <property>
       <name>gateway.strict.transport.option</name>
       <value>max-age=31</value>
   </property>
   ```
   
   ## How was this patch tested?
   
   Unit tests.
   Manual tests locally. 
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 962711)
    Remaining Estimate: 0h
            Time Spent: 10m

> HSTS headers are missing for 404 responses
> ------------------------------------------
>
>                 Key: KNOX-3111
>                 URL: https://issues.apache.org/jira/browse/KNOX-3111
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.2.0
>            Reporter: Tamás Hanicz
>            Assignee: Tamás Hanicz
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Strict-Transport-Security header is missing for 404 responses. The 
> "strict.transport.enabled" configuration is set in the WebAppSec provider 
> topology wide. To include the header on 404 as well jetty has to be 
> configured with a custom handler. However this is a global configuration 
> which would mean every response will include this header.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to