Per: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter and https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
they both say: hstsMaxAgeSeconds - The max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of 0 will be used. So, if a Tomcat user (like I did at first), configures hstsEnabled=true, the HSTS response header is set by Tomcat, but with a max age of zero (since that is the default). However, per the HSTS RFC: https://tools.ietf.org/html/rfc6797#section-6.1.1 it says: NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host). I noticed this problem when I first enabled HSTS on my Tomcat dev instance, and then passively scanned my web app with OWASP ZAP ( https://owasp.org/www-project-zap/). ZAP, correctly I believe, pointed out that enabling HSTS with a MaxAge of zero is effectively a no-op. (i.e., does nothing). If I'm correct, then I think having a default of zero is dangerous and should instead default to something useful and effective. Such as one year (in seconds) which is what many developers set/configure this value. Otherwise, I think turning HSTS ON in Tomcat might be giving people a false sense of security because it really doesn't doing anything unless you also set MaxAge (which to me isn't intuitive that you should have to do that). Do you agree with me that this is a problem that should be fixed? -Dave
