Skip to main content

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

  • From: "Shing Wai Chan (JIRA)" <jira-no-reply@...>
  • To: issues@...
  • Subject: [JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml
  • Date: Fri, 22 Feb 2013 22:24:53 +0000 (GMT+00:00)
  • Auto-submitted: auto-generated


    [ 
http://java.net/jira/browse/SERVLET_SPEC-63?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=356867#action_356867
 ] 

Shing Wai Chan commented on SERVLET_SPEC-63:
--------------------------------------------

Adding it to the bucket of FUTURE_RELEASE

> Consider adding an option to set Strict-Transport-Security header in web.xml
> ----------------------------------------------------------------------------
>
>                 Key: SERVLET_SPEC-63
>                 URL: http://java.net/jira/browse/SERVLET_SPEC-63
>             Project: servlet-spec
>          Issue Type: Improvement
>            Reporter: Samuel Santos
>
> Transparent redirection to HTTPS means that the vast majority of the time 
> your users are on your site, they'll be using a secure connection. It does, 
> however, leave a small window of opportunity for attack: the initial HTTP 
> connection is wide open, vulnerable to [SSL 
> stripping|http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Applicability]
>  and related attacks. Given that a man in the middle has complete access to 
> the initial HTTP request, it can act as a proxy between you and the server, 
> keeping you on an insecure HTTP connection regardless of the server's 
> intentions.
> You can mitigate the risk of this class of attack by asking the browser to 
> enforce [HTTP Strict Transport Security 
> (HSTS)|http://tools.ietf.org/html/rfc6797]. Sending the ;
> {{Strict-Transport-Security}} HTTP header instructs the browser to do the 
> HTTP to HTTPS redirection _client-side_, without ever touching the network 
> (this also happens to be great for performance; the best request is the one 
> you don't have to make).
> Please consider adding an option to set this header in {{web.xml}}.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[JIRA] Created: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Samuel Santos (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

markt_asf (JIRA) 02/21/2013

[JIRA] Commented: (SERVLET_SPEC-63) Consider adding an option to set Strict-Transport-Security header in web.xml

Shing Wai Chan (JIRA) 02/22/2013
 
 
Close
loading
Please Confirm
Close