Dear Chris, I follow your suggestion, change my app to ROOT but request with special characters on url path still response with no HSTS header. detail on e.g. below
[sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443" HTTP/1.1 200 Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Set-Cookie: JSESSIONID=11B6A6F834606B167C2281DB1381BBC2;path=/;Secure;HttpOnly Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 02 Jan 2020 03:46:13 GMT [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443/%20" HTTP/1.1 200 Set-Cookie: JSESSIONID=DC2234708B03D66FFC6D30178F083145;path=/;Secure;HttpOnly Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 02 Jan 2020 03:47:54 GMT Regards. *ปฐวี สรรค์ชลPattavee SANCHOL* * <http://www.thaidigitalid.com> * *Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>* 319, 25th Floor, Room 10-11, Chamchuri Square Building, Phayathai Road, Phathum Wan, Bangkok Thailand 10330 Tel : +66-029-0290 ext. 3317 E-mail : pattavee....@thaidigitalid.com On Fri, Dec 27, 2019 at 10:47 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Pattavee, > > On 12/26/19 05:22, Pattavee Sanchol wrote: > > Dear support team > > > > I config tomcat server to enabled HSTS some request URI path not > > response with Secure heading > > > > The configuration illustrated below > > > > <filter> > > > > <filter-name>httpHeaderSecurity</filter-name> > > > > > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi > lter-class> > > > > <async-supported>true</async-supported> > > > > <init-param> > > > > <param-name>hstsEnabled</param-name> > > > > <param-value>true</param-value> > > > > </init-param> > > > > <init-param> > > > > <param-name>hstsIncludeSubDomains</param-name> > > > > <param-value>true</param-value> > > > > </init-param> > > > > <init-param> > > > > <param-name>hstsMaxAgeSeconds</param-name> > > > > <param-value>31536000</param-value> > > > > </init-param> > > > > <init-param> > > > > <param-name>antiClickJackingEnabled</param-name> > > > > <param-value>true</param-value> > > > > </init-param> > > > > <init-param> > > > > <param-name>antiClickJackingOption</param-name> > > > > <param-value>SAMEORIGIN</param-value> > > > > </init-param> > > > > </filter> > > > > > > <filter-mapping> > > > > <filter-name>httpHeaderSecurity</filter-name> > > > > <url-pattern>/*</url-pattern> > > > > <dispatcher>REQUEST</dispatcher> > > > > </filter-mapping> > > > > > > I some request URI such as http://192.168.1.1/%20 is not response > > with security hedering > > > > > > this is working > > > > > > image.png this not working image.png Please suggest me to solve > > this problem. > > You configured this filter in your web application, right? I'm > guessing this is not the root application, but instead something like > /myapp ? > > If that's the case, then requesting http://192.168.1.1/%20 will map to > the ROOT web application which doesn't have HSTS configured. > > You will need to add this <filter> to the ROOT web application, which > is usually found in CATALINA_BASE/webapps/ROOT. You may have > specifically configured it to be somewhere else, though. > > Our applications at $work are also deployed as /myapp but our build > process always generates a "dummy" ROOT application that handles > things like 404 responses to things that don't start with /myapp. > Consider doing the same with your build: build your myapp.war (or > whatever) and then also build a ROOT.war (or similar) which contains > the minimal configuration you need to accomplish your goals, such as > the HSTS response headers, and maybe a catch-all error handler that > redirects people to /myapp or something similar. > > As for HSTS being served from Tomcat... you might consider doing that > at the reverse-proxy level. My experience has been that having a > single Tomcat isn't enough for a production-quality deployment for > both fail-over and maintenance purposes. It's always a good idea to > have a load-balancer even if you don't have so much load that a single > server can handle it. > > If you have a lb/reverse-proxy, then HSTS is best handled there > because it's usually easier to apply it to the whole site. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJ38ACgkQHPApP6U8 > pFjZHg//TBEc6qs0vxQJMiscnxt0a+Fhwf0QPQcwTyO7WqnvmQk+pHhUEBbsyjPb > +Bj6fV4Qx9fX2HGBvrMKO6bGBXEGsjowUJr72OrQXjx1xsgfEIlzF8aSEG+DQWtF > XaswAcMA0LTncAYxZHM7rXItwLjH9JzD1Tc6wAkBZifPXuxw8iTUssBvGfT5WrcY > BSI2oOQ4uW7q1HYA81pm/jJMi0kbk6MhQk3ENagB24/BCDCXr/bEBOKGdVLGvFKH > c8etGdg2T7MJuEs232ug9tnu5balMzpDSoeqnrhnX84hnpHfZ87IDXVnvagkv3MB > fkL0+VwQhP1mHF9d/EMMO5OZHLoalTrcDOXJs6sHldlywkS0pqhb8ucV0vxKISmD > ox1TT3RqzFM200+ssc7o0dt7xWaX4HfQ8+/kpdLhjpq9+BNJhZ/hrxH13hlGQDNF > INLZyHuJvahQiS4i/7qKlIrra2CDHfFpfPYGJkpWDgCWvrpTItpKUr5aH9x5CX/L > zlmeIsYqD/Z4cl7N8H1Cf7Pmw6t24ihtozveyxJMm5Kix2VCo3akkEVdfNxRnUCI > 2MDzKPqE1j7myWUXiSM4gK83z4RdUzXPagBlLrqhJH6LFrHfAdgOdnIQoKTzo7SE > GQbifq2pq5T6M5TWwlOl/ZtkL/UzYWmsGf2e/lEgoJjvw66wFVo= > =Uk5h > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --