[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 Ralf Hauser changed: What|Removed |Added Product|Tomcat 7|Tomcat 8

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #19 from Ralf Hauser --- add a "preload" init-param as per https://hstspreload.org/ and https://bugzilla.mozilla.org/show_bug.cgi?id=1334764 -- You are receiving this mail because: You are the assignee for the

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #18 from Ralf Hauser --- Interesting client side discussions in https://bugzilla.mozilla.org/show_bug.cgi?id=572803#c10 -- You are receiving this mail because: You are the assignee for the bug.

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 Ralf Hauser changed: What|Removed |Added CC||hau...@acm.org -- You

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #17 from Ilguiz Latypov --- A web application using Spring hijacked the global filter configuration (did not add the header). -- You are receiving this mail because: You are the assignee for the bug.

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 Mark Thomas ma...@apache.org changed: What|Removed |Added Resolution|--- |FIXED

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://bz.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #15 from Mark Thomas ma...@apache.org --- I've just added an HTTP header security filter that adds the HSTS header by default for 9.0.x. I plan to expand the set of headers this filter adds/ -- You are receiving this mail because:

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 Matafagafo matafag...@yahoo.com changed: What|Removed |Added CC|

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #14 from Matthew de Detrich mdedetr...@gmail.com --- I agree that this is something that should be able to be implemented without having to edit application code, particularly if it prevents the issues regarding ordering that

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #13 from Jens Borgland jens.borgl...@gmail.com --- The filter I wrote was intended as a suggestion, I haven't used this actual implementation anywhere. I agree that the header should be set before calling chain.doFilter() so if

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Attachment #3|application/octet-stream

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #9 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Steve Sether from comment #8) I think this is an important feature for Tomcat to support out of the box. Then vote for it: there are currently 5 votes

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #10 from Christopher Schultz ch...@christopherschultz.net --- I think there is a bug in the Filter implementation provided by Jens: The filter calls chain.doFilter() and then adds the header afterward. This isn't going to work

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #11 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Christopher Schultz from comment #9) The Filter can be added to conf/web.xml and will apply to all web applications hosted by the container. I'm not sure in

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #12 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Steve Sether from comment #8) Furthermore though, headers like this should be insanely easy to just add to all the headers of a domain hosted on a machine.

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 --- Comment #8 from Steve Sether st...@sether.org --- I think this is an important feature for Tomcat to support out of the box. Furthermore though, headers like this should be insanely easy to just add to all the headers of a domain

[Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54618 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Summary|Add filter implementing