Re: HSTS and Mid Tier

[Axton]

Most of the web apps I setup with HSTS have apache httpd in front of them.
I set it up in httpd and call it a day.  It's pretty straight forward.  I
tend to lean toward httpd for end user facing interfaces because it's much
easier to manage and secure 1 piece of software (httpd) than trying to deal
with all the different versions of jetty, wildfly, jboss, websphere,
tomcat, nginx, etc. floating around out there.  Using something like httpd
also allows me to consolidate many apps into a single web server using
virtualhosts with https/sni.  It's not such a big deal with something like
Remedy because there are limited web interfaces, but when dealing with
hundreds of user facing endpoints, it simplifies things.  My 2 cents.

Axton

On Thu, Nov 10, 2016 at 10:52 AM, Joe Castleman 
wrote:

> **
> Greetings!
>
> I run a public-facing Mid Tier.  I've been tasked with implementing HSTS
> on the web servers.  I'm running Mid Tier 8.1, using IIS and Tomcat on
> Windows 2008 Server.
>
> I came across this at BMC Communities:
> "Currently, the Tomcat HSTS security filter is not compatible with
> Mid-Tier. Given that this is a standard feature which relates to the
> security of the application\environment it would be a good thing to have
> compatibility." (link )
>
> I haven't hung around Communities much, but evidently this is an "Idea"
> (i.e. an enhancement request) and, as such, is subject to a vote.  BMC
> Support confirmed that:
>
>1. yes, it's subject to a vote;
>2. Mid Tier is indeed incompatible with the Tomcat HSTS filter;
>3. Furthermore it isn't compatible with _any_ HSTS filter.
>
>
> I can only see the demand for HSTS-compatibility increasing, and I wonder
> if or how others are dealing with this (beyond obtaining a waiver for HSTS
> non-compliance)?
>
> And I'm not sure I can/should use this venue for such a request, but is
> anyone else willing to click on that Communities link and vote this one up
> the flagpole?
>
> Bright Moments,
>
> Joe Castleman
> _ARSlist: "Where the Answers Are" and have been for 20 years_

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"

HSTS and Mid Tier

[Joe Castleman]

Greetings!

I run a public-facing Mid Tier.  I've been tasked with implementing HSTS on
the web servers.  I'm running Mid Tier 8.1, using IIS and Tomcat on Windows
2008 Server.

I came across this at BMC Communities:
"Currently, the Tomcat HSTS security filter is not compatible with
Mid-Tier. Given that this is a standard feature which relates to the
security of the application\environment it would be a good thing to have
compatibility." (link )

I haven't hung around Communities much, but evidently this is an "Idea"
(i.e. an enhancement request) and, as such, is subject to a vote.  BMC
Support confirmed that:

   1. yes, it's subject to a vote;
   2. Mid Tier is indeed incompatible with the Tomcat HSTS filter;
   3. Furthermore it isn't compatible with _any_ HSTS filter.


I can only see the demand for HSTS-compatibility increasing, and I wonder
if or how others are dealing with this (beyond obtaining a waiver for HSTS
non-compliance)?

And I'm not sure I can/should use this venue for such a request, but is
anyone else willing to click on that Communities link and vote this one up
the flagpole?

Bright Moments,

Joe Castleman

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"