Forwarded from apa...@apache.org. If you choose to respond, please respond to the original sender.
BKP ---------- Forwarded message --------- From: Jordan Wolkowski <jordan.wolkow...@thunderbay.ca> Date: Wed, May 21, 2025 at 9:07 AM Subject: HSTS Missing From HTTPS Server (RFC 6797) To: apa...@apache.org <apa...@apache.org> Good Morning, I’m looking for some additional information as it has come to our attention that remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS being an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This was brought to our attention as the lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. I couldn’t find anything on your site about how to solve this issue, but on some external sites we found the solution is to Configure the remote web server to use HSTS. It looks like we need to edit the conf/web.xml to enable this. I found a few articles online, but I couldn't find one officially on the Apache site. https://docs.microfocus.com/SM/9.60/Hybrid/Content/security/concepts/support_of_http_strict_transport_security_protocol.htm https://knowledge.broadcom.com/external/article/226769/enable-http-strict-transport-security-hs.html https://support.ptc.com/help/thingworx/platform/r9.6/en/index.html#page/ThingWorx/Help/Composer/Security/enabling_hsts_in_apache_tomcat.html https://portal.microfocus.com/s/article/KM000017386?language=en_US I wanted to check in with you for review/assistance with enabling this as we want to make sure we handle this properly. All the best, Jordan Wolkowski | Business & Enterprise Applications Analyst Corporate Information Technology City of Thunder Bay 807.625.2960 ext. 1214 Pronouns: He/Him www.thunderbay.ca --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
