Hi, On Tue, Aug 25, 2020 at 9:05 PM Dave Wichers <dave.wich...@owasp.org> wrote:
> Per: > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter > and > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter > > they both say: > > hstsMaxAgeSeconds - The max age value that should be used in the HSTS > header. Negative values will be treated as zero. If not specified, the > default value of 0 will be used. > > So, if a Tomcat user (like I did at first), configures hstsEnabled=true, > the HSTS response header is set by Tomcat, but with a max age of zero > (since that is the default). > > However, per the HSTS RFC: > https://tools.ietf.org/html/rfc6797#section-6.1.1 it says: > > NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to cease > regarding the host as a Known HSTS Host, including the includeSubDomains > directive (if asserted for that HSTS Host). > > I noticed this problem when I first enabled HSTS on my Tomcat dev > instance, and then passively scanned my web app with OWASP ZAP ( > https://owasp.org/www-project-zap/). ZAP, correctly I believe, pointed > out that enabling HSTS with a MaxAge of zero is effectively a no-op. (i.e., > does nothing). > > If I'm correct, then I think having a default of zero is dangerous and > should instead default to something useful and effective. Such as one year > (in seconds) which is what many developers set/configure this value. > Otherwise, I think turning HSTS ON in Tomcat might be giving people a false > sense of security because it really doesn't doing anything unless you also > set MaxAge (which to me isn't intuitive that you should have to do that). > > Do you agree with me that this is a problem that should be fixed? > I agree that either a better default should be set or Tomcat should report this misconfiguration somehow to the user! > > -Dave > >