servlet icon indicating copy to clipboard operation
servlet copied to clipboard
verified publisher icon jakartaee

Consider adding an option to set Strict-Transport-Security header in web.xml

Open glassfishrobot opened this issue 12 years ago • 9 comments

Transparent redirection to HTTPS means that the vast majority of the time your users are on your site, they'll be using a secure connection. It does, however, leave a small window of opportunity for attack: the initial HTTP connection is wide open, vulnerable to SSL stripping and related attacks. Given that a man in the middle has complete access to the initial HTTP request, it can act as a proxy between you and the server, keeping you on an insecure HTTP connection regardless of the server's intentions.

You can mitigate the risk of this class of attack by asking the browser to enforce HTTP Strict Transport Security (HSTS). Sending the Strict-Transport-Security HTTP header instructs the browser to do the HTTP to HTTPS redirection client-side, without ever touching the network (this also happens to be great for performance; the best request is the one you don't have to make).

Please consider adding an option to set this header in web.xml.

glassfishrobot avatar Feb 21 '13 02:02 glassfishrobot

  • Issue Imported From: https://github.com/javaee/servlet-spec/issues/63
  • Original Issue Raised By:@glassfishrobot
  • Original Issue Assigned To: @shingwaichan

glassfishrobot avatar Jun 06 '18 07:06 glassfishrobot

@glassfishrobot Commented Reported by silenius

glassfishrobot avatar Feb 21 '13 02:02 glassfishrobot

@glassfishrobot Commented markt_asf said: HSTS itself has a fairly large flaw in that the MITM can just remove the header before it ever reaches the client.

I'm not convinced of the usefulness of this mitigation. Sites that want to use it can always write a simple filter to add it.

glassfishrobot avatar Feb 21 '13 13:02 glassfishrobot

@glassfishrobot Commented @shingwaichan said: Adding it to the bucket of FUTURE_RELEASE

glassfishrobot avatar Feb 22 '13 22:02 glassfishrobot

@glassfishrobot Commented This issue was imported from java.net JIRA SERVLET_SPEC-63

glassfishrobot avatar Apr 26 '17 06:04 glassfishrobot

I don't know if we need this, as it can be easily added by a filter.

If we were going to do something like this though I would prefer to see a general way to add headers, rather than something specific.

stuartwdouglas avatar Sep 13 '20 00:09 stuartwdouglas

Using a Filter is just fine, IMO!

martin-g avatar Sep 14 '20 09:09 martin-g

I don't think we want to be adding configuration options for individual headers in web.xml.

markt-asf avatar Sep 14 '20 10:09 markt-asf

I agree that a filter is the way to go. Especially, because you typically only want to set this header in production mode, but not for development.

chkal avatar Sep 19 '20 14:09 chkal