Hi,
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (
RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.
https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_VwImplementation seems trivial: add the Strict-Transport-Security HTTP field.
Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.
Firmi prego dentro per inbandierare questo come inadeguato.
