On 11/05/2015 14:05, Rémy Maucherat wrote: > 2015-05-11 14:28 GMT+02:00 Mark Thomas <ma...@apache.org>: > >> Which features are you thinking of and are you suggesting they should be >> enabled as well? >> > I vote "not enabled" :) I'm not a big fan of these security features > usually (just like when my browser decides I am stupid and must reject > "fake" certs on my behalf). > > There is: > - CorsFilter > - CsrfPreventionFilter > > And there are also dos style filters and valves too: > - CrawlerSessionManagerValve > - StuckThreadDetectionValve > - app servers usually add a valve or filter for JCA as well in that category
Understood. I'll make it disabled when I back-port. For 9.0.x I'm going to leave it enabled for now (if anyone agrees or disagrees with that view please speak up). I think this Filter should be enabled by default but if the community feels differently I'm happy to change the default. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
