hsts

Adding HSTS headers in app.yaml (Google App Engine)

故事扮演 提交于 2021-02-19 03:42:08
问题 I have the following handlers section in my app.yaml : handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' - url: /.* script: main.app secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' and another subdomain, served by the another submodule ( static.yaml ) has the following: handlers: - url: /

Adding HSTS headers in app.yaml (Google App Engine)

蓝咒 提交于 2021-02-19 03:42:05
问题 I have the following handlers section in my app.yaml : handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' - url: /.* script: main.app secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' and another subdomain, served by the another submodule ( static.yaml ) has the following: handlers: - url: /

Add custom HSTS filter using ContainerResponseFilter

假装没事ソ 提交于 2021-02-11 12:13:18
问题 I've tried to update HSTS header value using custom filter (using ContainterResponseFilter) This is my class where I'm setting HSTS header values but there is some unknown issue that's preventing to update these values on server. I've checked locally and it's getting updated but not on server. import java.util.ArrayList; import java.util.List; import javax.inject.Inject; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax

Add custom HSTS filter using ContainerResponseFilter

北战南征 提交于 2021-02-11 12:12:31
问题 I've tried to update HSTS header value using custom filter (using ContainterResponseFilter) This is my class where I'm setting HSTS header values but there is some unknown issue that's preventing to update these values on server. I've checked locally and it's getting updated but not on server. import java.util.ArrayList; import java.util.List; import javax.inject.Inject; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax

How to implement HSTS in my website

天大地大妈咪最大 提交于 2021-01-01 07:06:13
问题 I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website. Can anyone help me on this ?

How to disable Chrome HSTS permanently for a subdomain

左心房为你撑大大i 提交于 2020-12-27 08:51:51
问题 I have following setup: The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team accessible via http://develop.app.domain.de (no HTTPS needed here). The problem begins here: As soon as I visit https://app.domain.de Chrome (and I guess also other browers) forwards http://develop.app.domain.de (no HTTPS) also to https://develop.app.domain

Cookies are not accessible within JavaScript (and the dev tools) but sent along with XHR request (no httponly used)

时光怂恿深爱的人放手 提交于 2020-08-24 05:44:32
问题 I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on localhost (e.g. from port :9000 to port :8080 ). As soon as I deploy the applications on secure domains (both domains only allow HTTPS), the CSRF cookie is not accessible anymore within JavaScript, leading to an incorrect follow-up request of the front-end (missing the CSRF header). The cookie is set by the back

How to implement HTTP Strict Transport Security (HSTS) on AWS Elastic Load Balancer?

风流意气都作罢 提交于 2020-08-22 11:54:31
问题 I would like to implement HSTS to my application. I have an ELB terminating SSL and forwarding the traffic to my application, which is an apache server used as reverse proxy. I know that in order to implement HSTS, I would need to add the header Strict-Transport-Security to my request. Unfortunately, it seems that I cannot implement it on my Apache server as it would have to be added to the HTTPS Virtual Host and my Apache only has the http virtual host configured, since the SSL is terminated

Enabling HSTS in AWS ELB application load balacer

白昼怎懂夜的黑 提交于 2020-01-02 03:35:10
问题 We like to enable HSTS to our IIS deployed web application. We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response. Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass

How to use STS headers with Traefik when using Docker

Deadly 提交于 2019-12-24 07:37:54
问题 This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome. I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong? 回答1: I have been fighting with