[keycloak-dev] Enable SSL by default
Stian Thorgersen
stian at redhat.com
Thu Jul 31 06:27:15 EDT 2014
----- Original Message -----
> From: "Bruno Oliveira" <bruno at abstractj.org>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Thursday, 31 July, 2014 11:11:44 AM
> Subject: Re: [keycloak-dev] Enable SSL by default
>
> +1 on enforcing it. Do we have any plans around HSTS? Or this is
> something that sysadmins should configure into their servers?
Currently we have an option to disable SSL for each realm (enabled by default), adding HSTS could be tricky as we'd need to know what the option in KC.
I'm not convinced we should have the option to disable SSL per-realm, instead we could make it into a global option for the whole server. A server is either in dev or production mode, I don't see a use-case to have one secure realm and one unsecure at the same time. That would make it a lot simpler to set the HSTS header in a jax-rs filter, also make it easier for us to check if SSL (for all requests) is enabled in the jax-rs filter.
>
> On 2014-07-31, Stian Thorgersen wrote:
> > To make sure no-one goes of and uses Keycloak in production without HTTPS
> > we should require SSL by default. To still allow developers to play with
> > Keycloak without having to configure HTTPS first we should allow non-HTTPS
> > if accessed via localhost only.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
More information about the keycloak-dev
mailing list