https://issues.apache.org/bugzilla/show_bug.cgi?id=54618
--- Comment #8 from Steve Sether <st...@sether.org> --- I think this is an important feature for Tomcat to support out of the box. Furthermore though, headers like this should be insanely easy to just add to all the headers of a domain hosted on a machine. Apache solves this very easily with a single configuration line: Header add Strict-Transport-Security "max-age=15768000" So this is incredibly trivial to do in Apache since adding headers is very, very easy. It's far harder to do this on Tomcat since it requires code modifications. Why can't Tomcat have a similar feature? IMO the solution should be broader than just this one header, and should be a simple config option that an admin can add or subtract rather than having to implement this on every web application. I think it's vitally important that the admin should be able to control this, since the security feature it implements crosses multiple applications on a server, not just one. That's something a good administrator can implement quickly, and would be far harder and more error prone to add at the application level. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
