[
https://issues.apache.org/jira/browse/SOLR-15578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552635#comment-17552635
]
Uwe Schindler commented on SOLR-15578:
--------------------------------------
Very important: If you add the header, DO NOT add the "include-subdomains".
This can lead to horrible problems for organizations that don't want to enforce
HTTPS, because suddenly all hosts in DNS below the solr host need HTTPS.
But in general. Please don't, don't enable this by default - sorry. This is
catastrophic. Just tell the people how to enable it in an easy way.
Another idea would be to rmeove the header from config files and make the
default request filter in Solr add it, if and only if the Solr cluster has
figured out that it has an official certificate (letsencrypt or else) and not a
self-signed one.
> Add Support for HSTS Security Protocol
> --------------------------------------
>
> Key: SOLR-15578
> URL: https://issues.apache.org/jira/browse/SOLR-15578
> Project: Solr
> Issue Type: Improvement
> Components: Server, v2 API
> Affects Versions: 9.0
> Reporter: Marcus Eagan
> Priority: Major
> Time Spent: 2h
> Remaining Estimate: 0h
>
> A committer raised the idea of a supporting HSTS protocol and I think it is a
> good idea. We can add it somewhat easily as an option.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
