Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
Bijan Vakili
HTTP Strict Transport Security
27. Dezember 2012 20:32
Antwort

Bijan Vakili

Rang: Expert

Nachrichten: 354

Eintrittsdatum: 10. März 2009

Neue Beiträge

Hi,
Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.

https://www.youtube.com/watch?feature=player_embedded&v=zEV3HOuM_Vw

Implementation seems trivial: add the Strict-Transport-Security HTTP field.

Caveat is that owasp.org itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.