Heya, > Symfony should be "secure by default". So maybe it makes sense to think > about setting the Strict-Transport-Security header in the core because > it is currently a HUGE security problem as SecureNet found out [1]. > Unfortunatly it seems the article is only available in German.
The problem is you kind of have to be aware of HSTS and configure it right, otherwise you risk blowing up your site. If you send HSTS headers that say the site must go over SSL with a 30 days cache and then have to disable SSL for any reason, your site becomes unaccessible to all returning visitors. Same for subdomains. If we can't make it automatic based on app settings, and it has to be configured separately, then having it in core or not doesn't change so much. Giving it more visibility might be good though, but that could simply be a reference to the bundle in the docs. It's been done for other things. Cheers -- Jordi Boggiano @seldaek - http://nelm.io/jordi -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
