Skip to main content

[JIRA] Created: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

  • From: "Samuel Santos (JIRA)" <jira-no-reply@...>
  • To: issues@...
  • Subject: [JIRA] Created: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml
  • Date: Thu, 21 Feb 2013 02:17:53 +0000 (GMT+00:00)
  • Auto-submitted: auto-generated

Consider adding an option to set Strict-Transport-Security header in web.xml
----------------------------------------------------------------------------

                 Key: SERVLET_SPEC-63
                 URL: http://java.net/jira/browse/SERVLET_SPEC-63
             Project: servlet-spec
          Issue Type: Improvement
            Reporter: Samuel Santos


Transparent redirection to HTTPS means that the vast majority of the time 
your users are on your site, they'll be using a secure connection. It does, 
however, leave a small window of opportunity for attack: the initial HTTP 
connection is wide open, vulnerable to [SSL 
stripping|http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Applicability]
 and related attacks. Given that a man in the middle has complete access to 
the initial HTTP request, it can act as a proxy between you and the server, 
keeping you on an insecure HTTP connection regardless of the server's 
intentions.

You can mitigate the risk of this class of attack by asking the browser to 
enforce [HTTP Strict Transport Security 
(HSTS)|http://tools.ietf.org/html/rfc6797]. Sending the ;
{{Strict-Transport-Security}} HTTP header instructs the browser to do the 
HTTP to HTTPS redirection _client-side_, without ever touching the network 
(this also happens to be great for performance; the best request is the one 
you don't have to make).

Please consider adding an option to set this header in {{web.xml}}.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[JIRA] Created: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Samuel Santos (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

markt_asf (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Shing Wai Chan (JIRA) 02/22/2013
 
 
Close
loading
Please Confirm
Close