掲示板
HTTP Strict Transport Security
11年前 に Bijan Vakili によって更新されました。
HTTP Strict Transport Security
Expert 投稿: 375 参加年月日: 09/03/10 最新の投稿
Hi,
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.
https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_Vw
Implementation seems trivial: add the Strict-Transport-Security HTTP field.
Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.
https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_Vw
Implementation seems trivial: add the Strict-Transport-Security HTTP field.
Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.