All geek questions in one place

Strict-Transport-Security header twice in response to a Swisscom CloudFoundry application

When using the Swisscom CloudFoundry solution with the Spring boot application, two Strict-Transport-Security headers are added to the HTTPS response. I reviewed this problem and found out that several headers were added by CloudFoundry. Spring Boot already adds the Strict-Transport-Security header (on secure sites) by default, resulting in two different HSTS headers.

I would like to customize the headers of my application in my application. Is there a way to turn off the automatic title addition of a Swisscom CloudFoundry solution?

If not, is there a way to tell Swisscom Cloud to overwrite existing Strict-Transport-Security headers instead of adding it to the list of headers?

The HTTP response from the Spring boot application deployed to Swisscom Cloud then contains the following two headers:

 Strict-Transport-Security:max-age=31536000 ; includeSubDomains Strict-Transport-Security:max-age=15768000; includeSubDomains
+5
source share
1 answer

Thanks for the report. Currently, we are only inserting (not replacing) the HSTS headers, as we are not aware that some frameworks add it by default. We will consider rewriting the header always, since duplicate headers probably do not make sense, and the default value is suitable for most use cases.

At the moment: Can you disable the installation of HSTS in Spring Boot? According to Spring's boot docs, you can disable it with this snippet:

 @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers() .frameOptions().sameOrigin() .httpStrictTransportSecurity().disable(); } }

Refresh . We will change this soon: Appcloud will set the title if the application has not already installed it. Therefore, we leave the choice to the developer if and how he wants to implement HSTS, but he will provide it by default.

Update 2 : new behavior in place.

+4
source

Source: https://habr.com/ru/post/1272508/

More articles:


All Articles