https://bz.apache.org/bugzilla/show_bug.cgi?id=69610
Bug ID: 69610
Summary: Consider implementing support for
upgrade-insecure-requests request header and
conditional HSTS
Product: Tomcat 11
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: ma...@apache.org
Target Milestone: -------
The upgrade-insecure-requests request header allows a server to enable HSTS for
a user agent even if some of the links still use HTTP providing those resources
are also available over HTTPS by adding the upgrade-insecure-requests CSP
header to the response.
It looks like this should be implementable via the HttpHeaderSecurityFilter
with a little refactoring.
I'm not seeing a need for this at the moment. A search of the Tomcat archives
finds a handful of references to upgrade-insecure-requests but all of them in
HTTP header traces for other issues. I haven't found any evidence that there is
demand for this feature from Tomcat users. I am opening this issue as a way to
track that demand - if any.
[1] https://www.w3.org/TR/upgrade-insecure-requests/
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
