On 11/05/2015 13:13, Rémy Maucherat wrote: > 2015-05-11 10:56 GMT+02:00 Mark Thomas <ma...@apache.org>: > >> The catalyst for work this was reading RFC 7525 [1]. That got me >> thinking about similar headers. >> >> In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I >> think 9.0.x should use it by default unless there is a really good >> reason not to. >> >> While the other headers are not required by any RFC (as far as I am >> aware) they are good for security so again I think they should be >> enabled by default unless there is a good reason not to. >> >> Mark >> >> >> [1] https://www.rfc-editor.org/rfc/rfc7525.txt >> > Hm, there are other really "nice" security "features" that are done in > filters in Tomcat and they are not enabled by default.
Which features are you thinking of and are you suggesting they should be enabled as well? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
