tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54618] Add filter implementing HTTP Strict Transport Security (HSTS) [PATCH]
Date Fri, 06 Jun 2014 14:44:21 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=54618

--- Comment #9 from Christopher Schultz <chris@christopherschultz.net> ---
(In reply to Steve Sether from comment #8)
> I think this is an important feature for Tomcat to support out of the box. 

Then vote for it: there are currently 5 votes from a single person for this
issue. More votes = more attention.

> So this is incredibly trivial to do in Apache since adding headers is very,
> very easy.  It's far harder to do this on Tomcat since it requires code
> modifications.  Why can't Tomcat have a similar feature?

Adding a Filter (assuming it's already been written/compiled) only requires
configuration, just like Apache httpd. If you don't have mod_headers, it
"requires a code change" just as this does.

The Filter is attached to this issue. Feel free to download it and use it. It
just hasn't made it into Tomcat's distribution yet.

> IMO the solution should be broader than just this one header, and should be
> a simple config option that an admin can add or subtract rather than having
> to implement this on every web application.

The Filter can be added to conf/web.xml and will apply to all web applications
hosted by the container. I'm not sure in what order it will be applied, though.
My wild guess without trying is that everything in conf/web.xml will be applied
first, then all the filters defined in the application's WEB-INF/web.xml.

> I think it's vitally important that the admin should be able to control
> this, since the security feature it implements crosses multiple applications
> on a server, not just one.  That's something a good administrator can
> implement quickly, and would be far harder and more error prone to add at
> the application level.

Admins have the ability to modify conf/web.xml.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message