> If I browse to one of our CAS endpoints (e.g. /cas/login), I see the Strict > Transport Security response header. > However, if I browse to an invalid endpoint, e.g. /, I don't see the Strict > Transport Security response header. This gets flagged in security scans.
Headers are inserted into resources that CAS can control and those that are mapped to components internally to respond. Invalid resources will never reach CAS for it to do anything with it, specially those that outside the app context (i.e. anything outside of /cas typically) > I have a 2 part question. Is this really a security issue? No. > If this *is* an issue, is there a way to configure CAS to just apply the > security response headers to *all* resources that it serves up? You'll have to do it outside CAS, via something that can in fact respond to invalid resources. Like an external servlet container or a reverse proxy. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcYMxcn9B9O_g2rRY0biGP%3DR6P90nL0ZXZjf7eSZbhUeQ%40mail.gmail.com.