Combination View Flat View Tree View
Threads [ Previous | Next ]
Bijan Vakili
HTTP Strict Transport Security
December 27, 2012 8:32 PM

Bijan Vakili

Rank: Expert

Posts: 354

Join Date: March 10, 2009

Recent Posts

Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.

Implementation seems trivial: add the Strict-Transport-Security HTTP field.

Caveat is that itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.