e plan,
and how to track progress.
Thanks, Dave
On Wed, Aug 26, 2020 at 1:37 PM Dave Wichers wrote:
> OK. Fair point. If you believe it is dangerous to just turn it on for
> real, as someone might do that in prod without knowing what they are doing,
> then I think Tomcat should generate
provided by Apache or
OWASP or something like that. I couldn't find one I liked with a quick
Google search.
-Dave
On Wed, Aug 26, 2020 at 1:01 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dave,
>
Per:
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter
and
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
they both say:
hstsMaxAgeSeconds - The max age value that should be used in the HSTS
header. Negative values wi
