Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.0.0, 2.14.21
-
Yes
Description
Current versions of NXRM 3 using a Jetty Server version of 9.3.7 or newer are capable of support for HTTP Strict Transport Security (HSTS) for inbound connections. https://tools.ietf.org/html/rfc6797
Enabling HSTS has been requested by a few users of NXRM and when enabled helps get an A+ rating on ssllabs.com.
https://github.com/eclipse/jetty.project/issues/271
https://bugs.eclipse.org/bugs/show_bug.cgi?id=484657
Jetty Server change adding this feature:
https://github.com/eclipse/jetty.project/commit/19d6e36ab961b9b8db97c66ebde973f36e37f959
Expected
Adjust our shipped jetty-https.xml to enable HSTS by default.
All that is needed is to adjust the SecureRequestCustomizer creation from this:
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg> </Call> </New>
to this:
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"> <!-- 7776000 seconds = 90 days --> <Set name="stsMaxAge">7776000</Set> </New> </Arg> </Call> </New>
For justification of 90 day max age default, see https://letsencrypt.org/2015/11/09/why-90-days.html .
For justification of NOT including sub-domains under HSTS by default, we believe it is a lesser risk of indirectly impacting other applications hosted at different sub-domains in the same organization.
Attachments
Issue Links
- relates
-
-
- Closed
-