I have psi-probe version 2.4.0 deployed in our Tomcat webapps, and made the following changes to my server.xml + web.xml
*Web.xml (enable hsts):* * <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter>* *Force TLS on our domain:* * <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>* *Finally, in server xml, redirect port 80 to port 443:* *<Connector port="80" protocol="org.apache.coyote.http11.Http11AprProtocol" enableLookups="false" redirectPort="443" />* This works fine for our webapps, but when simultaneous using hsts and the ssl forward I get the following error in psi-probe: *You do not have sufficient privileges to access this page. Please use the navigation bar to choose another area or click "back" button in your browser. * Disabling either HSTS or https forward solves this issue, so this has nothing to do with user roles not being correct. I can't figure out why this is happening. Kind regards, Harrie Robins