Please enable JavaScript.
Coggle requires JavaScript to display documents.
Spring Security (General (Authentication Filters (BasicAuthenticationFilte…
Spring Security
-
HTTPS
Creating a self-signed certificate is possible with java keytool. Then add a few properties to properties/yml file to your spring boot app.
Add ServletWebServerFactory and redirectConnector() method to redirect from port 80 to 433 to prevent error when typing page address in browser as by default it uses http.
TOFU
HSTS
hstspreload.org - site where you can submit your domain for inclusion in Chrome's HSTS preload list. This is a list of sites that are hardcoded into chrome as being https only.
STRICT-TRANSPORT-SECURITY - header name, provided by default by Spring Security.
This header informs your browser that this site requires https. The user's browser will cache this information and ALL future requests (even if you specify http directly) to your website will be made through https (all but not first! consider registration on hstspreload.org).
In case of expiration of https certificate user will not be able to access your page with this header
-
HPKP
-
when user connects to your site for the first time, he receives a key which is cached in his browser, later all of the responses from your site are encrypted with this key, you can specify the time of key validity. But if you want to change the key a lot of ur users may be blocked for a long period of time from your website.
Chrome doesn't support it already.
When typing url of the site through browser, first request might be using http protocol, which can be easily manipulated and a hacker can send back some malicious script or redirect you to his site with possibly even stealing your login data.
-
-