subject:"Security concern about Tomcat's default value for HSTS MaxAge"

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-28 Thread Dave Wichers

So have you guys decided what you are going to do? Is there a dev ticket open (that is public) that I can see and follow the progress on? I'd like to get off this mailing list, as it generates lots of email that I don't care about, but before I leave it, I'd like to understand the plan, and how

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-26 Thread Dave Wichers

OK. Fair point. If you believe it is dangerous to just turn it on for real, as someone might do that in prod without knowing what they are doing, then I think Tomcat should generate a WARNING during startup that explains that HSTS is ON, but not yet doing anything, and maybe point them to an

Re: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-26 Thread Mark Thomas

On 26/08/2020 08:20, Martin Grigorov wrote: > Hi, > > On Tue, Aug 25, 2020 at 9:05 PM Dave Wichers > wrote: > > Per: > > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter > and >

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dave, On 8/25/20 14:05, Dave Wichers wrote: > Per: > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Heade r_Security_Filter > > and https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_ Security_Filter > > they

Re: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-26 Thread Martin Grigorov

Hi, On Tue, Aug 25, 2020 at 9:05 PM Dave Wichers wrote: > Per: > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter > and > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter > > they both say: > > hstsMaxAgeSeconds -

Fwd: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-25 Thread Dave Wichers

Per: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter and https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter they both say: hstsMaxAgeSeconds - The max age value that should be used in the HSTS header. Negative values

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

Re: Security concern about Tomcat's default value for HSTS MaxAge

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

Re: Security concern about Tomcat's default value for HSTS MaxAge

Fwd: Security concern about Tomcat's default value for HSTS MaxAge

6 matches

Site Navigation

Mail list logo

Footer information