In CAS 6.4.x, I believe that the security response headers are enabled by default. I.e.:
cas.http-web-request.header.enabled=true If I browse to one of our CAS endpoints (e.g. /cas/login), I see the Strict Transport Security response header. However, if I browse to an invalid endpoint, e.g. /, I don't see the Strict Transport Security response header. This gets flagged in security scans. I have a 2 part question. Is this really a security issue? An end user doesn't typically browse to a CAS resource on their own, so it seems like maybe not having the invalid resources protected is OK, since the user will likely be first introduced to CAS on a valid resource and the browser will remember the header setting for the site. If this *is* an issue, is there a way to configure CAS to just apply the security response headers to *all* resources that it serves up? Thanks, Carl Waldbieser ITS Lafayette College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbNs3y--eqc%3DdpM3uCog4A5kXCOAG5DOzuJd85JjLnf%3Deg%40mail.gmail.com.
