I run a public-facing Mid Tier. I've been tasked with implementing HSTS on the web servers. I'm running Mid Tier 8.1, using IIS and Tomcat on Windows 2008 Server.
I came across this at BMC Communities:
"Currently, the Tomcat HSTS security filter is not compatible with
Mid-Tier. Given that this is a standard feature which relates to the
security of the application\environment it would be a good thing to have
I haven't hung around Communities much, but evidently this is an "Idea" (i.e. an enhancement request) and, as such, is subject to a vote. BMC Support confirmed that:
- yes, it's subject to a vote;
- Mid Tier is indeed incompatible with the Tomcat HSTS filter;
- Furthermore it isn't compatible with _any_ HSTS filter.
I can only see the demand for HSTS-compatibility increasing, and I wonder if or how others are dealing with this (beyond obtaining a waiver for HSTS non-compliance)?
And I'm not sure I can/should use this venue for such a request, but is anyone else willing to click on that Communities link and vote this one up the flagpole?
_ARSlist: "Where the Answers Are" and have been for 20 years_