Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Header "Strict-Transport-Security" twice in response with Swisscom CloudFoundry application

Tags:

http-headers

cloud-foundry

hsts

strict-transport-security

swisscomdev

When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry solution. Spring Boot, by default, already adds the Strict-Transport-Security header too (on secure sites) which leads to two different HSTS headers.

I would like to configure the headers of my application within my application. Is there a way to disable this automatic header adding of the Swisscom CloudFoundry solution?

If not, is there a way to tell the Swisscom Cloud to overwrite existing Strict-Transport-Security headers instead of appending it to the list of headers?

A HTTP response from the Spring Boot application, deployed the Swisscom Cloud, then contains the following two headers:

Strict-Transport-Security:max-age=31536000 ; includeSubDomains
Strict-Transport-Security:max-age=15768000; includeSubDomains
like image 631
ssc-hrep3 Avatar asked Oct 10 '17 17:10

ssc-hrep3

People also ask

How do I enable HTTP Strict Transport Security HSTS in HTTP header for security?

​​ Enable HSTS Select your website. Go to SSL/TLS > Edge Certificates. For HTTP Strict Transport Security (HSTS), click Enable HSTS. Read the dialog and click I understand.

What does Strict Transport Security header do?

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

What is the purpose of the HSTS Strict Transport Security HTTP header why is it important?

HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.

1 Answers

Thanks for the report. We currently only insert (not replace) the HSTS headers, since we were not aware that some frameworks add it by default. We will consider to overwrite the header always, since duplicate headers probably don't make sense and the default we set is appropriate for most use cases.

For the moment: Can you disable setting the HSTS in Spring Boot? According to the Spring boot docs, you should be able to disable it with this snippet:

@EnableWebSecurity
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // ...
            .headers()
                .frameOptions().sameOrigin()
                .httpStrictTransportSecurity().disable();
    }
}

Update: We will change this behavior soon: The Appcloud will only set the header if the app does not set it already. So we leave the choice up to the developer if and how he wants to implement HSTS, but it will provide a default.

Update 2: The new behavior is in place.

like image 150
Matthias Winzeler Avatar answered Oct 09 '22 20:10

Matthias Winzeler
Sign in to Comment

Related questions

"Refused to display document because display forbidden by X-Frame-Options." Edit header
Is there any need to sanitize a $_POST value before using it in a PHP header (for redirecting)
Is there a standard header for mobile http requests that specifies device type, os version, app version etc?
Removing header (User-agent) from make_fetch_call while requesting from GAE
X-Forwarded-Host vs. x-Forwarded-Server
Alamofire validate headers before receiving all data (Full body)
Invalid cookies recieved from CURL request and file_get_contents
Expected behavior when Clear-Site-Data header is set?
Allow caching with Spring MVC mvc:resources tag
C# Async Webserver - how to send data to client
Is it safe to use "Access-Control-Allow-Origin: *" setting on the server and use session based cookies at the same time?
What network error could be responsible for Status (failed) and type Pending in Chrome?
Engine Yard Rails app - Terminating SSL at an Elastic Load Balancer (ELB) and passing X-Forwarded-Proto http header
Cache-related HTTP headers are overridden in Servlet response on App Engine
Remove referer from Javascript redirect
How to open a url using javascript and set custom HTTP headers to the request?
img HTML tag not honoring the HTTP Refresh header (but loading image URL in the browser does)
Browsers close socket before the response is fully downloaded
How to properly override Content-Type header in Firefox Web Extension?
405 method not allowed - ASP.NET Web API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!