On 26/08/2020 08:20, Martin Grigorov wrote: > Hi, > > On Tue, Aug 25, 2020 at 9:05 PM Dave Wichers <dave.wich...@owasp.org > <mailto:dave.wich...@owasp.org>> wrote: > > Per: > > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter > and > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter > > they both say: > > hstsMaxAgeSeconds - The max age value that should be used in the > HSTS header. Negative values will be treated as zero. If not > specified, the default value of 0 will be used. > > So, if a Tomcat user (like I did at first), configures > hstsEnabled=true, the HSTS response header is set by Tomcat, but > with a max age of zero (since that is the default). > > However, per the HSTS > RFC: https://tools.ietf.org/html/rfc6797#section-6.1.1 it says: > > NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to > cease regarding the host as a Known HSTS Host, including the > includeSubDomains directive (if asserted for that HSTS Host). > > I noticed this problem when I first enabled HSTS on my Tomcat dev > instance, and then passively scanned my web app with OWASP ZAP > (https://owasp.org/www-project-zap/). ZAP, correctly I believe, > pointed out that enabling HSTS with a MaxAge of zero is effectively > a no-op. (i.e., does nothing). > > If I'm correct, then I think having a default of zero is dangerous > and should instead default to something useful and effective. Such > as one year (in seconds) which is what many developers set/configure > this value. Otherwise, I think turning HSTS ON in Tomcat might be > giving people a false sense of security because it really doesn't > doing anything unless you also set MaxAge (which to me isn't > intuitive that you should have to do that). > > Do you agree with me that this is a problem that should be fixed? > > > I agree that either a better default should be set or Tomcat should > report this misconfiguration somehow to the user!
Generally I concur with what Chris said about the risks of HSTS. Given the risks, I think the current default is appropriate. I'd be happy with a log message at WARN level if Tomcat is started with the HSTS enabled with the default value. I think we probably need add a warning to the docs so the log message can refer to the user to the documentation for information on appropriate values. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org