On 08/05/2015 23:49, Rémy Maucherat wrote: > 2015-05-08 21:14 GMT+02:00 Mark Thomas <ma...@apache.org>: > >> I'd like to back-port this but before I do I'd like to hear other >> people's views on the following? >> >> - Should it be back-ported to 8.0.x >> - Should it be enabled by default >> - Should it be back-ported to 7.0.x >> - Should it be enabled by default >> - Should it be back-ported to 6.0.x >> - Should it be enabled by default >> >> My own views are: >> Yes/No >> Yes/No >> No/Not applicable >> > +1 > > No for enabling it by default in 9.0.x as well.
The catalyst for work this was reading RFC 7525 [1]. That got me thinking about similar headers. In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I think 9.0.x should use it by default unless there is a really good reason not to. While the other headers are not required by any RFC (as far as I am aware) they are good for security so again I think they should be enabled by default unless there is a good reason not to. Mark [1] https://www.rfc-editor.org/rfc/rfc7525.txt --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org