Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-12 Thread Konstantin Kolinko
2015-05-11 11:56 GMT+03:00 Mark Thomas ma...@apache.org: On 08/05/2015 23:49, Rémy Maucherat wrote: 2015-05-08 21:14 GMT+02:00 Mark Thomas ma...@apache.org: I'd like to back-port this but before I do I'd like to hear other people's views on the following? - Should it be back-ported to 8.0.x

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-12 Thread Mark Thomas
On 11/05/2015 14:05, Rémy Maucherat wrote: 2015-05-11 14:28 GMT+02:00 Mark Thomas ma...@apache.org: Which features are you thinking of and are you suggesting they should be enabled as well? I vote not enabled :) I'm not a big fan of these security features usually (just like when my

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Mark Thomas
On 08/05/2015 23:49, Rémy Maucherat wrote: 2015-05-08 21:14 GMT+02:00 Mark Thomas ma...@apache.org: I'd like to back-port this but before I do I'd like to hear other people's views on the following? - Should it be back-ported to 8.0.x - Should it be enabled by default - Should it be

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Mark Thomas
On 11/05/2015 13:13, Rémy Maucherat wrote: 2015-05-11 10:56 GMT+02:00 Mark Thomas ma...@apache.org: The catalyst for work this was reading RFC 7525 [1]. That got me thinking about similar headers. In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I think 9.0.x should

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Rémy Maucherat
2015-05-11 14:28 GMT+02:00 Mark Thomas ma...@apache.org: Which features are you thinking of and are you suggesting they should be enabled as well? I vote not enabled :) I'm not a big fan of these security features usually (just like when my browser decides I am stupid and must reject fake

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Rémy Maucherat
2015-05-11 10:56 GMT+02:00 Mark Thomas ma...@apache.org: The catalyst for work this was reading RFC 7525 [1]. That got me thinking about similar headers. In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I think 9.0.x should use it by default unless there is a really good

Back-porting the new HttpHeaderSecurityFilter

2015-05-08 Thread Mark Thomas
I'd like to back-port this but before I do I'd like to hear other people's views on the following? - Should it be back-ported to 8.0.x - Should it be enabled by default - Should it be back-ported to 7.0.x - Should it be enabled by default - Should it be back-ported to 6.0.x - Should it be

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-08 Thread Rémy Maucherat
2015-05-08 21:14 GMT+02:00 Mark Thomas ma...@apache.org: I'd like to back-port this but before I do I'd like to hear other people's views on the following? - Should it be back-ported to 8.0.x - Should it be enabled by default - Should it be back-ported to 7.0.x - Should it be enabled