hsts

问题 I have the following handlers section in my app.yaml : handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' - url: /.* script: main.app secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' and another subdomain, served by the another submodule ( static.yaml ) has the following: handlers: - url: /

问题 I have the following handlers section in my app.yaml : handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' - url: /.* script: main.app secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' and another subdomain, served by the another submodule ( static.yaml ) has the following: handlers: - url: /

问题 I've tried to update HSTS header value using custom filter (using ContainterResponseFilter) This is my class where I'm setting HSTS header values but there is some unknown issue that's preventing to update these values on server. I've checked locally and it's getting updated but not on server. import java.util.ArrayList; import java.util.List; import javax.inject.Inject; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax

问题 I've tried to update HSTS header value using custom filter (using ContainterResponseFilter) This is my class where I'm setting HSTS header values but there is some unknown issue that's preventing to update these values on server. I've checked locally and it's getting updated but not on server. import java.util.ArrayList; import java.util.List; import javax.inject.Inject; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax

问题 I've a website (domain from godaddy and hosted in hostgator). As I updated the certificates, manually, I can redirect my site to https, but it is always going to http from google search. After searching online, I got to know that Considering Strict-Transport-Security: max-age=15768000 as result of curl -i -L on target domain will work for my need as it will force a browser to open the website in https. But I'm confused about how to implement this to my website. Can anyone help me on this ?

问题 I have following setup: The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team accessible via http://develop.app.domain.de (no HTTPS needed here). The problem begins here: As soon as I visit https://app.domain.de Chrome (and I guess also other browers) forwards http://develop.app.domain.de (no HTTPS) also to https://develop.app.domain

问题 I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on localhost (e.g. from port :9000 to port :8080 ). As soon as I deploy the applications on secure domains (both domains only allow HTTPS), the CSRF cookie is not accessible anymore within JavaScript, leading to an incorrect follow-up request of the front-end (missing the CSRF header). The cookie is set by the back

问题 I would like to implement HSTS to my application. I have an ELB terminating SSL and forwarding the traffic to my application, which is an apache server used as reverse proxy. I know that in order to implement HSTS, I would need to add the header Strict-Transport-Security to my request. Unfortunately, it seems that I cannot implement it on my Apache server as it would have to be added to the HTTPS Virtual Host and my Apache only has the http virtual host configured, since the SSL is terminated

问题 We like to enable HSTS to our IIS deployed web application. We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response. Presently, ALB does not appear to pass custom headers from IIS to the ALB, to the end-user. We wanted to see if there is a way to enable HSTS either at ALB level where it can accept custom headers or if it can be set at IIS level and ALB can pass

问题 This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome. I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong? 回答1: I have been fighting with