[JIRA] (JENKINS-11146) Automatically redirect users to secure connection

Fri, 06 Apr 2012 05:59:37 -0700 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-11146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=161339#comment-161339
 ] 

jieryn commented on JENKINS-11146:
----------------------------------

I think that forcing a redirect it outside the scope of this plugin. Rather, it 
would be better and easier to enable this in the web.xml:

{code:xml}  <security-constraint>
    <web-resource-collection>
      <web-resource-name></web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
{code}
                
> Automatically redirect users to secure connection
> -------------------------------------------------
>
>                 Key: JENKINS-11146
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11146
>             Project: Jenkins
>          Issue Type: Improvement
>          Components: hsts-filter
>            Reporter: Christopher Orr
>            Assignee: jieryn
>
> Currently the plugin always sends the STS header, regardless of whether 
> Jenkins is being accessed via a secure connection.
> The spec says:
> bq. A HSTS Server MUST NOT include the Strict-Transport-Security HTTP 
> Response Header in HTTP responses conveyed over a non-secure transport.
> Similarly, browsers will ignore any STS headers received over a non-secure 
> connection.  So it's quite possible that users may end up never accessing 
> Jenkins securely, unless they manually visit the secure URL at least once.  
> The recommended practice when servers receive non-secure requests is to send 
> an HTTP redirect to the secure version of the content.  Then that allows the 
> STS header to be sent, and accepted by the browser.
> So it would be good if this was implemented, so that a redirect would be sent 
> whenever the STS header is enabled in the plugin config and a user accesses 
> Jenkins insecurely.  
> However I guess that may also need an optional config field for entering the 
> secure URL (e.g. if the hostnames differ between secure and non-secure).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to