Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-12 Thread Mark Thomas
On 11/05/2015 14:05, Rémy Maucherat wrote: > 2015-05-11 14:28 GMT+02:00 Mark Thomas : > >> Which features are you thinking of and are you suggesting they should be >> enabled as well? >> > I vote "not enabled" :) I'm not a big fan of these security features > usually (just like when my browser dec

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-12 Thread Konstantin Kolinko
2015-05-11 11:56 GMT+03:00 Mark Thomas : > On 08/05/2015 23:49, Rémy Maucherat wrote: >> 2015-05-08 21:14 GMT+02:00 Mark Thomas : >> >>> I'd like to back-port this but before I do I'd like to hear other >>> people's views on the following? >>> >>> - Should it be back-ported to 8.0.x >>> - Should

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Rémy Maucherat
2015-05-11 14:28 GMT+02:00 Mark Thomas : > Which features are you thinking of and are you suggesting they should be > enabled as well? > > I vote "not enabled" :) I'm not a big fan of these security features usually (just like when my browser decides I am stupid and must reject "fake" certs on my

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Mark Thomas
On 11/05/2015 13:13, Rémy Maucherat wrote: > 2015-05-11 10:56 GMT+02:00 Mark Thomas : > >> The catalyst for work this was reading RFC 7525 [1]. That got me >> thinking about similar headers. >> >> In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I >> think 9.0.x should use it

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Rémy Maucherat
2015-05-11 10:56 GMT+02:00 Mark Thomas : > The catalyst for work this was reading RFC 7525 [1]. That got me > thinking about similar headers. > > In [1] HSTS support is a MUST and using it is a SHOULD. On that basis I > think 9.0.x should use it by default unless there is a really good > reason no

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-11 Thread Mark Thomas
On 08/05/2015 23:49, Rémy Maucherat wrote: > 2015-05-08 21:14 GMT+02:00 Mark Thomas : > >> I'd like to back-port this but before I do I'd like to hear other >> people's views on the following? >> >> - Should it be back-ported to 8.0.x >> - Should it be enabled by default >> - Should it be back-p

Re: Back-porting the new HttpHeaderSecurityFilter

2015-05-08 Thread Rémy Maucherat
2015-05-08 21:14 GMT+02:00 Mark Thomas : > I'd like to back-port this but before I do I'd like to hear other > people's views on the following? > > - Should it be back-ported to 8.0.x > - Should it be enabled by default > - Should it be back-ported to 7.0.x > - Should it be enabled by default

Back-porting the new HttpHeaderSecurityFilter

2015-05-08 Thread Mark Thomas
I'd like to back-port this but before I do I'd like to hear other people's views on the following? - Should it be back-ported to 8.0.x - Should it be enabled by default - Should it be back-ported to 7.0.x - Should it be enabled by default - Should it be back-ported to 6.0.x - Should it be en