Menu
When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry solution. Spring Boot, by default, already adds the Strict-Transport-Security header too (on secure sites) which leads to two different HSTS headers.
I would like to configure the headers of my application within my application. Is there a way to disable this automatic header adding of the Swisscom CloudFoundry solution?
If not, is there a way to tell the Swisscom Cloud to overwrite existing Strict-Transport-Security headers instead of appending it to the list of headers?
A HTTP response from the Spring Boot application, deployed the Swisscom Cloud, then contains the following two headers:
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
Strict-Transport-Security:max-age=15768000; includeSubDomains
631
Enable HSTS Select your website. Go to SSL/TLS > Edge Certificates. For HTTP Strict Transport Security (HSTS), click Enable HSTS. Read the dialog and click I understand.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
Thanks for the report. We currently only insert (not replace) the HSTS headers, since we were not aware that some frameworks add it by default. We will consider to overwrite the header always, since duplicate headers probably don't make sense and the default we set is appropriate for most use cases.
For the moment: Can you disable setting the HSTS in Spring Boot? According to the Spring boot docs, you should be able to disable it with this snippet:
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions().sameOrigin()
.httpStrictTransportSecurity().disable();
}
}
Update: We will change this behavior soon: The Appcloud will only set the header if the app does not set it already. So we leave the choice up to the developer if and how he wants to implement HSTS, but it will provide a default.
Update 2: The new behavior is in place.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
