Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-1668

Traffic Server does currently not implement HSTS

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.0
    • Component/s: Security, SSL
    • Labels:
      None

      Description

      Apache Traffic Server can be used as Reverse Proxy as well as for TLS (SSL) Termination for a huge number of sites.

      As such is the ideal point to implement HTTP Strict Transport security.

      I propose enable administrators to globally (records.config) configure HSTS for all sites that offer both, HTTP and HTTPS. (This switch, if backported, should default to off for stable releases.)

      We should further also make it possible to disable this setting per-site (ssl_multicert.config).

        Attachments

        1. ts1688.diff
          18 kB
          Bryan Call
        2. ts1688.diff
          15 kB
          Bryan Call

          Activity

            People

            • Assignee:
              bcall Bryan Call
              Reporter:
              i.galic Igor Galić
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: