Hi all, I've just saw that the HTTP Strict Transport Security (HSTS) draft was approved [1] and will soon be published as an official standard. Since Symfony already provides a way to force the use of HTTPS [2] I thought it might be a good idea to complement this with the "Strict-Transport-Security" HTTP header. The spec [3] is quite long but the implementation would actually quite easy. There's even sample code for PHP on Wikipedia [4].
I could do the changes and file a pull request myself but I first wanted to ask whether this is of interest. I'm also not sure yet what would be the best way to integrate this in Symfony. Directly in the HttpKernel? Creating a "kernel.response" listener? Somewhere else? Cheers, Markus [1] https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ [2] http://symfony.com/doc/current/cookbook/security/force_https.html [3] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14 [4] https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Securit y#Implementation -- Markus Lanthaler @markuslanthaler -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
