[Date Prev] [Date Next] [Prev in Thread] [Next in Thread] [Date Index] [Thread Index]

HSTS and Mid Tier


I run a public-facing Mid Tier.  I've been tasked with implementing HSTS on the web servers.  I'm running Mid Tier 8.1, using IIS and Tomcat on Windows 2008 Server.

I came across this at BMC Communities:
"Currently, the Tomcat HSTS security filter is not compatible with Mid-Tier. Given that this is a standard feature which relates to the security of the application\environment it would be a good thing to have compatibility." (link)

I haven't hung around Communities much, but evidently this is an "Idea" (i.e. an enhancement request) and, as such, is subject to a vote.  BMC Support confirmed that:
  1. yes, it's subject to a vote;
  2. Mid Tier is indeed incompatible with the Tomcat HSTS filter;
  3. Furthermore it isn't compatible with _any_ HSTS filter.

I can only see the demand for HSTS-compatibility increasing, and I wonder if or how others are dealing with this (beyond obtaining a waiver for HSTS non-compliance)?

And I'm not sure I can/should use this venue for such a request, but is anyone else willing to click on that Communities link and vote this one up the flagpole?

Bright Moments,

Joe Castleman
_ARSlist: "Where the Answers Are" and have been for 20 years_