Received: by 10.14.220.131 with SMTP id o3mr1849796eep.6.1349254116744; Wed, 03 Oct 2012 01:48:36 -0700 (PDT) X-BeenThere: symfony-devs@googlegroups.com Received: by 10.14.2.133 with SMTP id 5ls694852eef.1.gmail; Wed, 03 Oct 2012 01:48:31 -0700 (PDT) Received: by 10.14.220.131 with SMTP id o3mr1849609eep.6.1349254111491; Wed, 03 Oct 2012 01:48:31 -0700 (PDT) Received: by 10.14.220.131 with SMTP id o3mr1849608eep.6.1349254111482; Wed, 03 Oct 2012 01:48:31 -0700 (PDT) Return-Path: Received: from mailout-de.gmx.net (mailout-de.gmx.net. [213.165.64.22]) by gmr-mx.google.com with SMTP id d5si3139590eep.0.2012.10.03.01.48.31; Wed, 03 Oct 2012 01:48:31 -0700 (PDT) Received-SPF: pass (google.com: domain of markus.lantha...@gmx.net designates 213.165.64.22 as permitted sender) client-ip=213.165.64.22; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of markus.lantha...@gmx.net designates 213.165.64.22 as permitted sender) smtp.mail=markus.lantha...@gmx.net Received: (qmail invoked by alias); 03 Oct 2012 08:48:30 -0000 Received: from net-188-216-239-246.cust.dsl.vodafone.it (EHLO Vostro3500) [188.216.239.246] by mail.gmx.net (mp004) with SMTP; 03 Oct 2012 10:48:30 +0200 X-Authenticated: #419883 X-Provags-ID: V01U2FsdGVkX1+6l8AG1UO6y019tBwbD5H2QVx2ihrrjXHk8hGnk7 gwG/rSIzxdviJP From: "Markus Lanthaler" To: Subject: Add support for HSTS Date: Wed, 3 Oct 2012 10:48:28 +0200 Message-ID: <506bfbdf.05d70e0a.6cb1.21d9SMTPIN_ADDED@gmr-mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Ac2hQ9t+uz5cmhpPTia2MJWYfauCKw== Content-Language: de X-Y-GMX-Trusted: 0 Hi all, I've just saw that the HTTP Strict Transport Security (HSTS) draft was approved [1] and will soon be published as an official standard. Since Symfony already provides a way to force the use of HTTPS [2] I thought it might be a good idea to complement this with the "Strict-Transport-Security" HTTP header. The spec [3] is quite long but the implementation would actually quite easy. There's even sample code for PHP on Wikipedia [4]. I could do the changes and file a pull request myself but I first wanted to ask whether this is of interest. I'm also not sure yet what would be the best way to integrate this in Symfony. Directly in the HttpKernel? Creating a "kernel.response" listener? Somewhere else? Cheers, Markus [1] https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/ [2] http://symfony.com/doc/current/cookbook/security/force_https.html [3] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14 [4] https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Securit y#Implementation -- Markus Lanthaler @markuslanthaler