[Date Prev] [Date Next] [Prev in Thread] [Next in Thread] [Date Index] [Thread Index]

Re: HSTS and Mid Tier

Most of the web apps I setup with HSTS have apache httpd in front of them.  I set it up in httpd and call it a day.  It's pretty straight forward.  I tend to lean toward httpd for end user facing interfaces because it's much easier to manage and secure 1 piece of software (httpd) than trying to deal with all the different versions of jetty, wildfly, jboss, websphere, tomcat, nginx, etc. floating around out there.  Using something like httpd also allows me to consolidate many apps into a single web server using virtualhosts with https/sni.  It's not such a big deal with something like Remedy because there are limited web interfaces, but when dealing with hundreds of user facing endpoints, it simplifies things.  My 2 cents.


On Thu, Nov 10, 2016 at 10:52 AM, Joe Castleman <joe.castleman@gmail.com> wrote:

I run a public-facing Mid Tier.  I've been tasked with implementing HSTS on the web servers.  I'm running Mid Tier 8.1, using IIS and Tomcat on Windows 2008 Server.

I came across this at BMC Communities:
"Currently, the Tomcat HSTS security filter is not compatible with Mid-Tier. Given that this is a standard feature which relates to the security of the application\environment it would be a good thing to have compatibility." (link)

I haven't hung around Communities much, but evidently this is an "Idea" (i.e. an enhancement request) and, as such, is subject to a vote.  BMC Support confirmed that:
  1. yes, it's subject to a vote;
  2. Mid Tier is indeed incompatible with the Tomcat HSTS filter;
  3. Furthermore it isn't compatible with _any_ HSTS filter.

I can only see the demand for HSTS-compatibility increasing, and I wonder if or how others are dealing with this (beyond obtaining a waiver for HSTS non-compliance)?

And I'm not sure I can/should use this venue for such a request, but is anyone else willing to click on that Communities link and vote this one up the flagpole?

Bright Moments,

Joe Castleman
_ARSlist: "Where the Answers Are" and have been for 20 years_

_ARSlist: "Where the Answers Are" and have been for 20 years_