Skip to main content

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

  • From: "markt_asf (JIRA)" <jira-no-reply@...>
  • To: issues@...
  • Subject: [JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml
  • Date: Thu, 21 Feb 2013 13:08:53 +0000 (GMT+00:00)
  • Auto-submitted: auto-generated


    [ 
http://java.net/jira/browse/SERVLET_SPEC-63?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=356680#action_356680
 ] 

markt_asf commented on SERVLET_SPEC-63:
---------------------------------------

HSTS itself has a fairly large flaw in that the MITM can just remove the 
header before it ever reaches the client.

I'm not convinced of the usefulness of this mitigation. Sites that want to 
use it can always write a simple filter to add it.

> Consider adding an option to set Strict-Transport-Security header in web.xml
> ----------------------------------------------------------------------------
>
>                 Key: SERVLET_SPEC-63
>                 URL: http://java.net/jira/browse/SERVLET_SPEC-63
>             Project: servlet-spec
>          Issue Type: Improvement
>            Reporter: Samuel Santos
>
> Transparent redirection to HTTPS means that the vast majority of the time 
> your users are on your site, they'll be using a secure connection. It does, 
> however, leave a small window of opportunity for attack: the initial HTTP 
> connection is wide open, vulnerable to [SSL 
> stripping|http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Applicability]
>  and related attacks. Given that a man in the middle has complete access to 
> the initial HTTP request, it can act as a proxy between you and the server, 
> keeping you on an insecure HTTP connection regardless of the server's 
> intentions.
> You can mitigate the risk of this class of attack by asking the browser to 
> enforce [HTTP Strict Transport Security 
> (HSTS)|http://tools.ietf.org/html/rfc6797]. Sending the ;
> {{Strict-Transport-Security}} HTTP header instructs the browser to do the 
> HTTP to HTTPS redirection _client-side_, without ever touching the network 
> (this also happens to be great for performance; the best request is the one 
> you don't have to make).
> Please consider adding an option to set this header in {{web.xml}}.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[JIRA] Created: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Samuel Santos (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

markt_asf (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Shing Wai Chan (JIRA) 02/22/2013
 
 
Close
loading
Please Confirm
Close