SEC-3039: Emit error on startup when using HSTS together with require-channel="http"

[spring-projects-issues]

Thomas Timbul (Migrated from SEC-3039) said:

Using HSTS and specifying require-channel="http" anywhere amounts to invalid configuration. Doing so would break a site.

In such case a clear and prominent error should be emitted on startup pointing the user to the documentation, which should be improved as per https://jira.spring.io/browse/SEC-3038
Container startup should fail with an Exception to prevent this misconfiguration rather than just showing a warning.

[spring-projects-issues]

David Eckel said:

Keep in mind that the absence of an error doesn't mean that you're safe. Because HSTS applies to the current domain and not path, an HSTS-enabled Spring application would still impact other HTTP resources hosted under that domain.

[spring-projects-issues]

Thomas Timbul said:

Very true and it's not just static resources. Someone deploying multiple different webapps in a container, just one of which has HSTS enabled - everything else could fail spectacularly if not configured to match.