Most of the web apps I setup with HSTS have apache httpd in front of them. I set it up in httpd and call it a day. It's pretty straight forward. I tend to lean toward httpd for end user facing interfaces because it's much easier to manage and secure 1 piece of software (httpd) than trying to deal with all the different versions of jetty, wildfly, jboss, websphere, tomcat, nginx, etc. floating around out there. Using something like httpd also allows me to consolidate many apps into a single web server using virtualhosts with https/sni. It's not such a big deal with something like Remedy because there are limited web interfaces, but when dealing with hundreds of user facing endpoints, it simplifies things. My 2 cents.
Axton On Thu, Nov 10, 2016 at 10:52 AM, Joe Castleman <joe.castle...@gmail.com> wrote: > ** > Greetings! > > I run a public-facing Mid Tier. I've been tasked with implementing HSTS > on the web servers. I'm running Mid Tier 8.1, using IIS and Tomcat on > Windows 2008 Server. > > I came across this at BMC Communities: > "Currently, the Tomcat HSTS security filter is not compatible with > Mid-Tier. Given that this is a standard feature which relates to the > security of the application\environment it would be a good thing to have > compatibility." (link <https://communities.bmc.com/ideas/14278>) > > I haven't hung around Communities much, but evidently this is an "Idea" > (i.e. an enhancement request) and, as such, is subject to a vote. BMC > Support confirmed that: > > 1. yes, it's subject to a vote; > 2. Mid Tier is indeed incompatible with the Tomcat HSTS filter; > 3. Furthermore it isn't compatible with _any_ HSTS filter. > > > I can only see the demand for HSTS-compatibility increasing, and I wonder > if or how others are dealing with this (beyond obtaining a waiver for HSTS > non-compliance)? > > And I'm not sure I can/should use this venue for such a request, but is > anyone else willing to click on that Communities link and vote this one up > the flagpole? > > Bright Moments, > > Joe Castleman > _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
