There isn’t a commit yet, but https://issues.apache.org/jira/browse/SOLR-15578 was raised about adding this support.
> On Jun 6, 2022, at 7:25 AM, matthew sporleder <msporle...@gmail.com> wrote: > > https://stackoverflow.com/questions/3009631/setting-http-headers-with-jetty > > On Mon, Jun 6, 2022 at 7:03 AM Anchal Sharma2 <anchs...@in.ibm.com> wrote: > >> Hi All, >> >> After enabling SSL on apache solr using steps in solr guide( >> https://solr.apache.org/guide/8_11/enabling-ssl.html) , we got below >> vulnerability reported to us by our security team . Could someone please >> help suggest how to resolve this for Solr v8.11.1? >> >> VULNERABILITY -HSTS Missing From HTTPS Server (RFC 6797) >> >> DESCRIPTION -The remote web server is not enforcing HSTS, as defined by >> RFC 6797. HSTS is an optional response header that can be configured on the >> server to instruct the browser to only communicate via HTTPS. The lack of >> HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and >> weakens cookie-hijacking protections. >> >> SUGGESTED SOLUTION -Configure the remote web server to use HSTS. >> >> Thank you >> Anchal Sharma >> _______________________ Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | http://www.opensourceconnections.com <http://www.opensourceconnections.com/> | My Free/Busy <http://tinyurl.com/eric-cal> Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw> This e-mail and all contents, including attachments, is considered to be Company Confidential unless explicitly stated otherwise, regardless of whether attachments are marked as such.
