So have you guys decided what you are going to do? Is there a dev ticket
open (that is public) that I can see and follow the progress on?
I'd like to get off this mailing list, as it generates lots of email that I
don't care about, but before I leave it, I'd like to understand the plan,
and how to
OK. Fair point. If you believe it is dangerous to just turn it on for real,
as someone might do that in prod without knowing what they are doing, then
I think Tomcat should generate a WARNING during startup that explains that
HSTS is ON, but not yet doing anything, and maybe point them to an articl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Dave,
On 8/25/20 14:05, Dave Wichers wrote:
> Per:
> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Heade
r_Security_Filter
>
>
and
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_
Security_Filter
>
> they b
