Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
Bijan Vakili
HTTP Strict Transport Security
27 dicembre 2012 20.32
Risposta

Bijan Vakili

Punteggio: Regular Member

Messaggi: 141

Data di Iscrizione: 10 marzo 2009

Messaggi recenti

Hi,
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.

https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_Vw

Implementation seems trivial: add the Strict-Transport-Security HTTP field.

Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.