Hi,

On Tue, Aug 25, 2020 at 9:05 PM Dave Wichers <dave.wich...@owasp.org> wrote:

> Per:
> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter
> and
> https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
>
> they both say:
>
> hstsMaxAgeSeconds  - The max age value that should be used in the HSTS
> header. Negative values will be treated as zero. If not specified, the
> default value of 0 will be used.
>
> So, if a Tomcat user (like I did at first), configures hstsEnabled=true,
> the HSTS response header is set by Tomcat, but with a max age of zero
> (since that is the default).
>
> However, per the HSTS RFC:
> https://tools.ietf.org/html/rfc6797#section-6.1.1 it says:
>
> NOTE:  A max-age value of zero (i.e., "max-age=0") signals the UA to cease
> regarding the host as a Known HSTS Host, including the includeSubDomains
> directive (if asserted for that HSTS Host).
>
> I noticed this problem when I first enabled HSTS on my Tomcat dev
> instance, and then passively scanned my web app with OWASP ZAP (
> https://owasp.org/www-project-zap/). ZAP, correctly I believe, pointed
> out that enabling HSTS with a MaxAge of zero is effectively a no-op. (i.e.,
> does nothing).
>
> If I'm correct, then I think having a default of zero is dangerous and
> should instead default to something useful and effective. Such as one year
> (in seconds) which is what many developers set/configure this value.
> Otherwise, I think turning HSTS ON in Tomcat might be giving people a false
> sense of security because it really doesn't doing anything unless you also
> set MaxAge (which to me isn't intuitive that you should have to do that).
>
> Do you agree with me that this is a problem that should be fixed?
>

I agree that either a better default should be set or Tomcat should report
this misconfiguration somehow to the user!


>
> -Dave
>
>

Reply via email to