Add Strict-Transport-Security (HSTS) support

palantir / dropwizard-web-security

A Dropwizard bundle for applying default web security functionality

https://bintray.com/palantir/releases/dropwizard-web-security/view

Apache License 2.0

37 stars 16 forks source link

Add Strict-Transport-Security (HSTS) support #60

Closed ghost closed 8 years ago

ghost commented 8 years ago

This adds the Strict-Transport-Security header with a default value of 1 year. It is enabled by default and will consequently break web apps that do not use HTTPS.

qinfchen commented 8 years ago

@jmcampanini

jmcampanini commented 8 years ago

we originally had HSTS available but turned off by default in the bundle. the reasoning for removing it are:

it doesn't sound right that a single dropwizard service owns a whole domain - instead it feels like it would be an SPP responsibility
setting the HSTS header incorrectly comes at a high cost (very hard to undo)

thoughts? i'd be open to adding it in, but i'd want the default to be OFF if we did.

ghost commented 8 years ago

Yep, makes sense that this header should live with the reverse proxy when you have multiple apps behind the same proxy instance. In the case where you're not using a proxy it's not particularly onerous to spin up nginx and configure this header. I'll close out this PR.

jmcampanini commented 8 years ago

cool. would be willing to revisit if this comes up in the field more. maybe add it as an off-by-default option (with a big warning).