Support HTTP Strict Transport Security

Description

HSTS (HTTP Strict Transport Security) is implemented by the server sending a specific header through https, indicating that the server would prefer all future requests through https - never through http.

Compliant Browsers will then never again (in the timespan that is specified in the header) contact the server through http and automatically rewrite http URLs to it as https.

This is also achievable through appropriate Apache configuration or any other frontend webserver, but would make a nice-to-configure addition, e.g. for Liferay's HeaderFilter, or a specific new filter.

Example for such a header to specify "one year of https access":

Strict-Transport-Security: max-age=31536000

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#HSTS_Mechanism_Overview

Environment

None

Attachments

1
  • 28 Nov 2016, 12:35 PM

Activity

Show:

Olaf Kock November 27, 2020 at 8:20 AM

fyi: has now updated my abandoned plugin to 7.x: https://web.liferay.com/marketplace/-/mp/application/178582958 

Olaf Kock November 10, 2020 at 3:23 AM
Edited

Hi ,

I've not updated the marketplace plugin since 6.2 - and frankly, I don't really intend to do so:

It's 2020, and I consider https to be ubiquitous. I'd rather recommend to unconditionally set the HTTPS header in a reverse proxy, or - worst case, if you don't have a reverse proxy - in a servlet filter (see https://github.com/liferay/liferay-blade-samples/blob/7.3/liferay-workspace/extensions/servlet-filter)

Sample static config option for Apache httpd is in this article

Hong Zhao November 10, 2020 at 2:43 AM

Hi

Where could I find the setting of this HSTS on below 7.3 branch after I deploying the LPKG file? I can find it on 7.3 branch and there is check box to enable the function, but I can not find it on 7.0, since the UI is same for 70,71 and 72, I am wondering where I can see/enable it on these branches.

Thanks.

Olaf Kock August 21, 2013 at 3:01 PM

submitted a marketplace app that introduces the HSTS header. As the plugin is tiny, I'd like to see this in the product. Possible location is the HeaderFilter, but I don't have a strong preference.

Find sourcecode on https://github.com/olafk/liferay-hsts-hook. I assume the app will - once approved - be available at https://www.liferay.com/marketplace/-/mp/application/27551660

The codebase is so tiny that it's easy to find the relevant line that should be included in Liferay

Not Aligned with the Roadmap
Pinned fields
Click on the next to a field label to start pinning.

Assignee

Unassigned

Reporter

Liferay Contributor's Agreement

Accept

Priority

Created August 20, 2013 at 12:39 PM
Updated June 26, 2023 at 2:51 PM
Resolved February 14, 2023 at 2:48 PM