Great! can you add a test and submit a PR ? On Tue, Jan 10, 2017 at 4:25 AM, Björn Raupach <[email protected]> wrote:
> Hello group, > > as an exercise I went ahead and extended the SslFilter with support > for HTTP Strict Transport Security (HSTS). > > At least I think I did. Not that familiar with the internals. I overrided > the method postHandle in SslFilter to add the header. Is this the correct > place? Or say the correct place in general to add headers in filters? > > HTTP Strict Transport Security (HSTS) would be a nice addition for all the > SSL only sites out there. I think in recent years more and more pages have > gone full SSL, with good reasons to do so. It is a bit problematic with > SslFilter since this one is path based. If you go HSTS then everything on > the site uses https. This might break thinks if you have a path with ssl > and one without. You can do that with shiro but not with HSTS. > > You can have a look at the current code here: https://github.com/ > raupachz/shiro/blob/hsts/web/src/main/java/org/apache/ > shiro/web/filter/authz/SslFilter.java > > Thanks in advance > > /Björn >
