Stack Overflow
Stack Overflow

Questions tagged [strict-transport-security]

19 questions
18
votes
4 answers

Cookies are not accessible within JavaScript (and the dev tools) but sent along with XHR request (no httponly used)

I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on localhost (e.g. from port :9000 to port :8080). As soon as I deploy…
ssc-hrep3
  • 15,024
  • 7
  • 48
  • 87
12
votes
2 answers

For which Content-Types should I set security related HTTP response headers?

I've built a web application (with my favourite language Fantom!) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers. My question is, for which responses should the headers…
Steve Eynon
  • 4,979
  • 2
  • 30
  • 48
6
votes
1 answer

Header "Strict-Transport-Security" twice in response with Swisscom CloudFoundry application

When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry…
ssc-hrep3
  • 15,024
  • 7
  • 48
  • 87
2
votes
1 answer

HSTS header with Tomcat 9 for 400 Errors

Using a Tomcat v9.0.30, I was able to successfully configure HSTS headers for all responses (when served over HTTPS) for my Spring-based app using the built-in Tomcat filter…
Cypher
  • 71
  • 6
1
vote
1 answer

Enable HSTS support for static pages in spring cloud gateway

I am using the spring cloud gateway to run my angular application. The API gateway also acts as an entry point to the underlying microservices. I have one microservice which is built on spring-web and one interceptor enables HSTS in the response…
manjosh
  • 438
  • 6
  • 28
1
vote
1 answer

Implications of Strict Transport Security (HSTS) max-age = 0

When setting up HSTS in Cloudflare, I noticed that the default max-aged is set to 0. To my understanding this default value kind of disables the HSTS. Which could be considered a misconfiguration and also be used to track users. As I just found…
Caponte
  • 401
  • 1
  • 11
  • 20
1
vote
0 answers

Trouble Enabling HttpHeaderSecurityFilter in Tomcat 7.0.82

I have edited the web.xml to enable the HttpHeaderSecurityFilter, added a few params and restarted Tomcat. I'm not seeing the strict-transport-security in the response header. I have performed the same steps on several Tomcat 9 installations with…
cbrueckner
  • 11
  • 2
1
vote
1 answer

Spring Strict Transport Security (HSTS) configuration not working

I'm trying to enable HSTS in my Spring Boot application. I've added the following to my WebSecurityConfig (based on Enable HTTP Strict Transport Security (HSTS) with spring boot application): @Configuration @EnableWebSecurity public class…
Bjørn Vårdal
  • 174
  • 2
  • 11
0
votes
0 answers

Added UseHsts in Blazor application but Strict Transport Security isn't working for Blazor Maui

My issue is when the Strict Transport Security header is added, the Maui application won't load, it is stuck on 'Authorizing...' I've added HTTP headers within the API program.cs using Middleware and I've also added the app.UseHsts(); with the…
T-BONE
  • 61
  • 9
0
votes
2 answers

How to add response header to wso2 authentication endpoints

i'm able to add the response header to all my API except for the wso2 authentication…
Lakshmi
  • 78
  • 11
0
votes
0 answers

Configuring OWASP security headers in Angular

I need to configure the security headers X-Frame-Options, Content-Security-Policy and Strict-Transport-Security in an application developed in Angular, I would like to know if these headers are configured in the application or in the server where…
Alex B
  • 1
0
votes
0 answers

"Strict Transport Security" in Blazor webassembly

I Have 2 web applications: MVC & Blazor webassembly. In MVC project I was able to set up the application to enforce the strict-transport-security by adding HSTS Middleware in startup class by following the instructions in Microsoft…
Husam Ebish
  • 4,893
  • 2
  • 22
  • 38
0
votes
2 answers

How to set http headers in JBoss EAP 6.1

I want to set the http headers for x-frame options and Strict-Transport-Security in jboss 6.1.0. I have been searching for the proper configuration file to add these headers, am able to see some procedures for jboss 6.4, jboss 7 but I didn't get…
Suman
  • 21
  • 2
  • 6
0
votes
1 answer

How to examine a list of wesbites against HSTS headers?

I need to examine a list of websites to check if they support the HSTS policy or not. I grabbed their response headers. However, I am confused now because it appears that HSTS policy subscription can be done through preloaded lists and not only…
qbq
  • 75
  • 2
  • 7
0
votes
1 answer

How to set the strict transport security header for jetty 9.2.25

Am trying to add strict transport security header for my jetty server 9.2.25 I have tried to add the rule to my jetty-config.xml, but it seems not working.
Suman
  • 21
  • 2
  • 6
1
2