[jira] [Updated] (TS-1668) Traffic Server does currently not implement HSTS

Mon, 18 Feb 2013 03:23:16 -0800 

     [ 
https://issues.apache.org/jira/browse/TS-1668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Igor Galić updated TS-1668:
---------------------------

    Description: 
Apache Traffic Server can be used as Reverse Proxy as well as for {{TLS}} 
({{SSL}}) Termination for a huge number of sites.

As such is the ideal point to implement [HTTP Strict Transport 
security|http://tools.ietf.org/html/rfc6797].

I propose enable administrators to globally ({{records.config}}) configure HSTS 
for all sites that offer both, HTTP and HTTPS. (This switch, if backported, 
should default to off for stable releases.)

We should further also make it possible to disable this setting per-site 
({{ssl_multicert.config}}).

  was:
Apache Traffic Server can be used as Reverse Proxy as well as for {{TLS}} 
({{SSL}}) Termination for a huge number of sites.

As such is the ideal point to implement HTTP Strict Transport security.

I propose enable administrators to globally ({{records.config}}) configure HSTS 
for all sites that offer both, HTTP and HTTPS. (This switch, if backported, 
should default to off for stable releases.)

We should further also make it possible to disable this setting per-site 
({{ssl_multicert.config}}).

    
> Traffic Server does currently not implement HSTS
> ------------------------------------------------
>
>                 Key: TS-1668
>                 URL: https://issues.apache.org/jira/browse/TS-1668
>             Project: Traffic Server
>          Issue Type: Bug
>            Reporter: Igor Galić
>
> Apache Traffic Server can be used as Reverse Proxy as well as for {{TLS}} 
> ({{SSL}}) Termination for a huge number of sites.
> As such is the ideal point to implement [HTTP Strict Transport 
> security|http://tools.ietf.org/html/rfc6797].
> I propose enable administrators to globally ({{records.config}}) configure 
> HSTS for all sites that offer both, HTTP and HTTPS. (This switch, if 
> backported, should default to off for stable releases.)
> We should further also make it possible to disable this setting per-site 
> ({{ssl_multicert.config}}).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to