2015-05-11 10:56 GMT+02:00 Mark Thomas <ma...@apache.org>: > The catalyst for work this was reading RFC 7525 [1]. That got me > thinking about similar headers. > > In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I > think 9.0.x should use it by default unless there is a really good > reason not to. > > While the other headers are not required by any RFC (as far as I am > aware) they are good for security so again I think they should be > enabled by default unless there is a good reason not to. > > Mark > > > [1] https://www.rfc-editor.org/rfc/rfc7525.txt > > Hm, there are other really "nice" security "features" that are done in filters in Tomcat and they are not enabled by default.
Rémy
