Am Freitag, 5. Oktober 2012 12:32:01 UTC+2 schrieb Markus Lanthaler: > > > On Wednesday, 3 October 2012 13:17:45 UTC+2, Jordi Boggiano wrote: >> >> Not sure if this belongs in core or not given the configuration >> requirements (it's not a simple on/off feature), but FYI the feature is >> provided by the NelmioSecurityBundle: >> >> https://github.com/nelmio/NelmioSecurityBundle#forced-httpsssl-handling >> > I wasn't aware of this, thanks for the pointer Jordi! I don't think this > belongs to core if it's already supported by a bundle. > >
Symfony should be "secure by default". So maybe it makes sense to think about setting the Strict-Transport-Security header in the core because it is currently a HUGE security problem as SecureNet found out [1]. Unfortunatly it seems the article is only available in German. Regards, Matthias [1] http://www.heise.de/newsticker/meldung/Studie-Informationen-trotz-SSL-Verschluesselung-nicht-sicher-1742426.html > > Cheers, > Markus > > > -- > Markus Lanthaler > @markuslanthaler > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
