CODEWITHSUNDEEP
http-headerscloud-foundryhstsswisscomdevstrict-transport-security
ssc-hrep3
ssc-hrep3

Reputation: 16069

Header "Strict-Transport-Security" twice in response with Swisscom CloudFoundry application

When using the Swisscom CloudFoundry solution with a Spring Boot application, two Strict-Transport-Security headers are added to a HTTPS response. I have looked into this issue, and found out that several headers are added by the CloudFoundry solution. Spring Boot, by default, already adds the Strict-Transport-Security header too (on secure sites) which leads to two different HSTS headers.

I would like to configure the headers of my application within my application. Is there a way to disable this automatic header adding of the Swisscom CloudFoundry solution?

If not, is there a way to tell the Swisscom Cloud to overwrite existing Strict-Transport-Security headers instead of appending it to the list of headers?

A HTTP response from the Spring Boot application, deployed the Swisscom Cloud, then contains the following two headers:

Strict-Transport-Security:max-age=31536000 ; includeSubDomains
Strict-Transport-Security:max-age=15768000; includeSubDomains

Upvotes: 6

Views: 3190

Answers (1)

Matthias Winzeler
Matthias Winzeler

Reputation: 951

Thanks for the report. We currently only insert (not replace) the HSTS headers, since we were not aware that some frameworks add it by default. We will consider to overwrite the header always, since duplicate headers probably don't make sense and the default we set is appropriate for most use cases.

For the moment: Can you disable setting the HSTS in Spring Boot? According to the Spring boot docs, you should be able to disable it with this snippet:

@EnableWebSecurity
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // ...
            .headers()
                .frameOptions().sameOrigin()
                .httpStrictTransportSecurity().disable();
    }
}

Update: We will change this behavior soon: The Appcloud will only set the header if the app does not set it already. So we leave the choice up to the developer if and how he wants to implement HSTS, but it will provide a default.

Update 2: The new behavior is in place.

Upvotes: 4

Related Questions