[Ach] HSTS Headers in Apache

Aaron Zauner azet at azet.org
Wed Sep 24 10:24:21 CEST 2014

* Adi Kriegisch <adi at kriegisch.at> [140924 08:51]:
> The HSTS headers should be set by the web server; they are global on a
> domain basis. No reason to respect the "feelings" of a single web app.
I generally agree that we should overwrite this. But consider the
following example: If you use nginx (or Apache for that matter) you
can simply pass all traffic, including Headers to your
webapplication. You might then have a sophisticated application
serving differnt content depending on the domain or subdomain that
has been asked for by the client. I know that people and companies
write such applications and that's not even that uncommon. These
webapps will want to set their own Headers, including HSTS. There
are even excellent libraries to handle security headers in
webapplications, e.g. https://github.com/twitter/secureheaders

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140924/640a1a0a/attachment.sig>

More information about the Ach mailing list