https://stackoverflow.com/questions/3009631/setting-http-headers-with-jetty
On Mon, Jun 6, 2022 at 7:03 AM Anchal Sharma2 <anchs...@in.ibm.com> wrote: > Hi All, > > After enabling SSL on apache solr using steps in solr guide( > https://solr.apache.org/guide/8_11/enabling-ssl.html) , we got below > vulnerability reported to us by our security team . Could someone please > help suggest how to resolve this for Solr v8.11.1? > > VULNERABILITY -HSTS Missing From HTTPS Server (RFC 6797) > > DESCRIPTION -The remote web server is not enforcing HSTS, as defined by > RFC 6797. HSTS is an optional response header that can be configured on the > server to instruct the browser to only communicate via HTTPS. The lack of > HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and > weakens cookie-hijacking protections. > > SUGGESTED SOLUTION -Configure the remote web server to use HSTS. > > Thank you > Anchal Sharma >
