https://bz.apache.org/bugzilla/show_bug.cgi?id=65996
Bug ID: 65996
Summary: HSTS header with Tomcat 9 for 400 Errors
Product: Tomcat 9
Version: 9.0.30
Hardware: PC
Status: NEW
Severity: blocker
Priority: P2
Component: Examples
Assignee: dev@tomcat.apache.org
Reporter: hblel....@gmail.com
Target Milestone: -----
Created attachment 38241
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38241&action=edit
Notice the missing HSTS headers on both examples
Using a Tomcat v9.0.30, I was able to successfully configure HSTS headers for
all responses (when served over HTTPS) for my Spring-based app using the
built-in Tomcat filter HttpHeaderSecurityFilter
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html
However, I have noticed that the headers were not added for a particular
response with a 400 HttpStatus. Below are some screenshots:
The issue seems to be specific to 400 Errors and particularly when
non-compliant chars to rfc 7230 and rfc 3986 are used: "["
I know that these chars are now rejected by default by Tomcat v9.x.x for
security reasons and that it can be allowed using the relaxedPathChars and
relaxedQueryChars properties, but what about the 400 error response ?
Why is the HSTS header not added in that case and is there a workaround (Add
the headers for the 400 response) ? Is this a bug on Tomcat, if the
HttpHeaderSecurityFilter is supposed to be applied for all responses ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
