Questions tagged [strict-transport-security]
14 questions
14
votes
4 answers
Cookies are not accessible within JavaScript (and the dev tools) but sent along with XHR request (no httponly used)
I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on localhost (e.g. from port :9000 to port :8080). As soon as I deploy…
![](../../users/profiles/3233827.webp)
ssc-hrep3
- 10,806
- 4
- 35
- 77
10
votes
2 answers
For which Content-Types should I set security related HTTP response headers?
I've built a web application (with my favourite language Fantom!) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers.
My question is, for which responses should the headers…
![](../../users/profiles/1532548.webp)
Steve Eynon
- 4,308
- 1
- 23
- 44
6
votes
1 answer
Header "Strict-Transport-Security" twice in response with Swisscom CloudFoundry application
When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry…
![](../../users/profiles/3233827.webp)
ssc-hrep3
- 10,806
- 4
- 35
- 77
1
vote
0 answers
Trouble Enabling HttpHeaderSecurityFilter in Tomcat 7.0.82
I have edited the web.xml to enable the HttpHeaderSecurityFilter, added a few params and restarted Tomcat. I'm not seeing the strict-transport-security in the response header.
I have performed the same steps on several Tomcat 9 installations with…
![](../../users/profiles/14370152.webp)
cbrueckner
- 11
- 2
1
vote
1 answer
Spring Strict Transport Security (HSTS) configuration not working
I'm trying to enable HSTS in my Spring Boot application. I've added the following to my WebSecurityConfig (based on Enable HTTP Strict Transport Security (HSTS) with spring boot application):
@Configuration
@EnableWebSecurity
public class…
![](../../users/profiles/799134.webp)
Bjørn Vårdal
- 174
- 1
- 11
0
votes
0 answers
"Strict Transport Security" in Blazor webassembly
I Have 2 web applications: MVC & Blazor webassembly.
In MVC project I was able to set up the application to enforce the strict-transport-security by adding HSTS Middleware in startup class by following the instructions in Microsoft…
![](../../users/profiles/9334155.webp)
Husam Ebish
- 1,016
- 1
- 10
- 29
0
votes
0 answers
Trying to add strict transport header to html
Ik trying to add the Strict-Transport-Header to my Website, in HTML but I’ve used all other HTTP Headers fine but when I use this i get a 500 Error any ideas why?
![](../../users/profiles/14130067.webp)
MaximKing
- 41
- 5
0
votes
2 answers
How to set http headers in JBoss EAP 6.1
I want to set the http headers for x-frame options and Strict-Transport-Security in jboss 6.1.0.
I have been searching for the proper configuration file to add these headers, am able to see some procedures for jboss 6.4, jboss 7 but I didn't get…
![](../../users/profiles/10705033.webp)
Suman
- 21
- 6
0
votes
1 answer
How to examine a list of wesbites against HSTS headers?
I need to examine a list of websites to check if they support the HSTS policy or not.
I grabbed their response headers. However, I am confused now because it appears that HSTS policy subscription can be done through preloaded lists and not only…
![](../../users/profiles/11511917.webp)
qbq
- 65
- 6
0
votes
1 answer
How to set the strict transport security header for jetty 9.2.25
Am trying to add strict transport security header for my jetty server 9.2.25
I have tried to add the rule to my jetty-config.xml, but it seems not working.
![](../../users/profiles/10705033.webp)
Suman
- 21
- 6
0
votes
1 answer
How to Enable HSTS in Play framework 2.3.x using scala code?
I have a Play Framework 2.3.6 version app running on Sbt, using Sbt SSL endpoint with scala coding...
I would like to see the (hsts)strict transport security response in the headers.
I am trying locally in postman using the URL http…
![](../../users/profiles/9563510.webp)
jerald
- 1
0
votes
1 answer
What happens if i preload HSTS with Unnecessary HSTS header over HTTP?
The HTTP page at my website sends an HSTS header. This has no effect over HTTP, and should be removed. But what if i decide to not remove the error and preload my website through the HSTS Preload form? What happens?
![](../../users/profiles/6909496.webp)
jehovahsays
- 101
- 5
0
votes
1 answer
Is it possible to redirect from a non-secure to secure connection after enabling HSTS?
I recently started serving the 'strict-transport-security' header on one of my websites. A problem I hadn't anticipated is that my SSL certificate only covers mydomain.com and so if a user visits www.mydomain.com, rather than being redirected (as…
![](../../users/profiles/356582.webp)
Jack Roscoe
- 4,063
- 10
- 34
- 45
-1
votes
1 answer
Is there anyway I can use Strict-Transport security
Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?
![](../../users/profiles/1058166.webp)
Richard
- 4,304
- 3
- 23
- 41