> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:maryp...@mail.nih.gov] > Subject: Apache TomCat 5.5
> We have been using one of the old Apache TomCat on windows server 2008R2, IIS > 7. Firstly, it's Tomcat, not TomCat. > We need to apply a header directive in Apache "Strict-Transport-Security" so > that our web site > would be secured as the Government required. Your web site is pretty much guaranteed to be _insecure_ as long as you're running that old - and unsupported - version of Tomcat. The last Tomcat 5.5 release was nearly four years ago, and many, many vulnerabilities have been addressed since then. SSL does not protect you against those. You really must upgrade to a supported level (preferably 8.5), after carefully reading the migration guides: http://tomcat.apache.org/migration.html Not doing so makes anything else you try pointless. > My question is where can I insert this line? As suggested by Daniel, a filter is your best bet - but upgrade Tomcat first. Not doing so leaves you subject to many more liabilities than lack of HSTS. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
