[jira] [Comment Edited] (TS-1668) Traffic Server does currently not implement HSTS

[Bryan Call (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TS-1668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13863754#comment-13863754
 ] 

Bryan Call edited comment on TS-1668 at 1/7/14 1:14 AM:
--------------------------------------------------------

Should this be a configuration option in records.config and have it 
configurable per remap using config_remap, such as:
CONFIG proxy.config.ssl.hsts.max_age INT 31536000
CONFIG proxy.config.ssl.hsts.include_subdomains INT 1

or just use header_filter or header_rewrite plugin?  My thought looking at how 
everyone else is supporting HSTS, we should just use the normal way for adding 
additional headers.

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Implementation




was (Author: bcall):
Should this be a configuration option in records.config such as:
CONFIG proxy.config.ssl.hsts.max_age INT 31536000
CONFIG proxy.config.ssl.hsts.include_subdomains INT 1

or just use header_filter or header_rewrite plugin?  My thought looking at how 
everyone else is supporting HSTS, we should just use the normal way for adding 
additional headers.

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Implementation



> Traffic Server does currently not implement HSTS
> ------------------------------------------------
>
>                 Key: TS-1668
>                 URL: https://issues.apache.org/jira/browse/TS-1668
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Security, SSL
>            Reporter: Igor Galić
>             Fix For: 6.0.0
>
>
> Apache Traffic Server can be used as Reverse Proxy as well as for {{TLS}} 
> ({{SSL}}) Termination for a huge number of sites.
> As such is the ideal point to implement [HTTP Strict Transport 
> security|http://tools.ietf.org/html/rfc6797].
> I propose enable administrators to globally ({{records.config}}) configure 
> HSTS for all sites that offer both, HTTP and HTTPS. (This switch, if 
> backported, should default to off for stable releases.)
> We should further also make it possible to disable this setting per-site 
> ({{ssl_multicert.config}}).



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)