<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">+1 on HTTP Strict Transport Security (HSTS)</span><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 12, 2013 at 3:32 PM, Matthias Wessendorf <span dir="ltr"><<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sounds like a good idea, to have an overall "Security Policy"<div><br></div><div><br></div><div>
Also + on HTTP Strict Transport Security (HSTS)</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">
On Fri, Jul 12, 2013 at 3:13 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Good morning peeps.<br>
<br>
I had some conversation with Matthias about the encourage the usage of<br>
SSL into Unified Push server, after some minutes thinking would be<br>
better if we could make it no only for AGPUSH.<br>
<br>
So here is the whole and simple idea:<br>
<br>
- Include a Security Policy on AeroGear site.<br>
<br>
Ex: <a href="http://emberjs.com/security/" target="_blank">http://emberjs.com/security/</a> or <a href="http://www.ovirt.org/Security" target="_blank">http://www.ovirt.org/Security</a> (David<br>
Jorm pointed me out for that)<br>
<br>
I already got in touch with security response team from Red Hat<br>
<br>
- Create an alias <a href="mailto:security@aerogear.org" target="_blank">security@aerogear.org</a> which redirects to our incident<br>
response team on Red Hat<br>
<br>
- Make things crystal clear into our projects via SECURITY.md file<br>
Ex: <a href="https://github.com/andyet/andbang.js/blob/master/SECURITY.md" target="_blank">https://github.com/andyet/andbang.js/blob/master/SECURITY.md</a><br>
<br>
And also include recommendations to make use of SSL with HSTS.<br>
<br>
Once it affects the whole project, your feedback is welcome.<br>
<span><font color="#888888"><br>
--<br>
abstractj<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>