Foren

HTTP Strict Transport Security

thumbnail
Bijan Vakili, geändert vor 11 Jahren.

HTTP Strict Transport Security

Expert Beiträge: 375 Beitrittsdatum: 10.03.09 Neueste Beiträge
Hi,
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.

https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_Vw

Implementation seems trivial: add the Strict-Transport-Security HTTP field.

Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.