HSTS/CSP response headers

Cantor, Scott cantor.2 at osu.edu
Mon Nov 5 09:10:59 EST 2018

> The only reference we can find on the Shibboleth wiki is in relation to jetty.

I should have highlighted that, I overlooked that a lot of people don't customize web.xml and I didn't consider that it would actually change behavior. I'll add it to the notes today.

Beyond that: frames are unsupported (always have been) and if you choose to allow them, you're on your own in terms of making it work other than the obvious of just disabling the feature to detect them.

> If your quoted values are the default I’m assuming the csp additions must be
> always on? There’s no way of turning off this new functionality completely
> (rather than configuring it permissively)?

You can set the properties to an empty value. An empty string doesn't result in any header being generated.

-- Scott

More information about the users mailing list