[
https://issues.apache.org/jira/browse/OFBIZ-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11717:
Description:
To sum up, for a start:
We now use
[HSTS|https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md]
and we have the http.request-map.list for the request which should be send
not secured.
So the https attribute of the request-map->security elements, which is false by
default no longer makes any sense.
My intention is to remove it, but it hides a number of other things. So we need
to be careful. For instance, OFBIZ-11643 was a 1st aborted attempt. And anyway
there is not security related so this is not an OFBIZ-1525 subtask
was:There is much to say here, but I'll put the description later...
> Clean how HTTP vs HTTPS is handled
> ---
>
> Key: OFBIZ-11717
> URL: https://issues.apache.org/jira/browse/OFBIZ-11717
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Minor
>
> To sum up, for a start:
> We now use
> [HSTS|https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md]
> and we have the http.request-map.list for the request which should be send
> not secured.
> So the https attribute of the request-map->security elements, which is false
> by default no longer makes any sense.
> My intention is to remove it, but it hides a number of other things. So we
> need to be careful. For instance, OFBIZ-11643 was a 1st aborted attempt. And
> anyway there is not security related so this is not an OFBIZ-1525 subtask
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
