Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

Thu, 02 Jan 2020 07:50:10 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Pattavee,

On 1/1/20 22:55, Pattavee Sanchol wrote:
> Dear Chris,
> 
> I follow your suggestion, change my app to ROOT but request with
> special characters on url path still response with no HSTS header. 
> detail on e.g. below
> 
> 
> [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443";
> 
> HTTP/1.1 200
> 
> Strict-Transport-Security: max-age=31536000;includeSubDomains
> 
> X-Frame-Options: SAMEORIGIN
> 
> X-Content-Type-Options: nosniff
> 
> X-XSS-Protection: 1; mode=block
> 
> Set-Cookie: 
> JSESSIONID=11B6A6F834606B167C2281DB1381BBC2;path=/;Secure;HttpOnly
> 
> Content-Type: text/html;charset=UTF-8
> 
> Transfer-Encoding: chunked
> 
> Date: Thu, 02 Jan 2020 03:46:13 GMT
> 
> 
> 
> 
> [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443/%20";
> 
> HTTP/1.1 200
> 
> Set-Cookie: 
> JSESSIONID=DC2234708B03D66FFC6D30178F083145;path=/;Secure;HttpOnly
> 
> Content-Type: text/html;charset=UTF-8
> 
> Transfer-Encoding: chunked
> 
> Date: Thu, 02 Jan 2020 03:47:54 GMT
> 
> Regards.

Can you please package-up a WAR file with the above configuration,
name it ROOT.war, deploy it into a fresh Tomcat server and re-test
with 8.5.50? If it fails, please post the WAR file somewhere I can
fetch it and test it myself.

You do not need any additional files except maybe an index.html file
to avoid 404 responses.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4OEOgACgkQHPApP6U8
pFgZCRAAxJHr5NHqabbOF1gtEuGKiuF0ZBI3tIF3NXbxv3UhV+sa8xd1XImGVbeU
+t21EcmFYY2DEoq42H3NK9QBgHnKALypFaZRFxrVakwfQcRQE9zrkKMYPFmt7rfx
ms5wqpCqSYKdn13Ud6vP9c6vfaHJcDQAoAUUrS6Y7c/Otsvtx02bRppz2RClx5+w
xnnKzQrUDOFYbpE6Pjw8W09S5UrLFujdPrFS/x+a9mLPa0ve+mT5v1hVTxsaw+Eu
oj8mJyIG6ySztP8L2ie6ghLi5aa4j9oSvCIqmLmKbVmMqClj2N70pJV6XDFxKYw3
0Iz8a/7oU7u04giG3I1/VpdKoUlOUBurDjVi2JrjkCCvUp4NS6EM8VOB5EEvcVet
qZ6vfEShq5q+o6UWBScQKItSvl61N6aUESMiY9ice6qwAvsJaalDeCZHY1QzHsBY
BCCzZX28fMSfaDlE1FPOiFBpMeBiBTSkonjS5D+nj5VF5tLjSus9TBN3/Jr1X1nD
hTJOHZGW1HI9YxDQXt/Sx/hvL+IwRhjr61eRaW6c5fWiDPVSYl60FuHAC4oN0Prq
1ws687Aw8OL+U2lOz0GfbfYZC0o3dKUOxUkeaQ/gBBEBiwYmjr7vSWgW9xC9mFkY
kukuW01axNc8/Ma4qKIZ563dW78BY5bfWUETBsgr3viQZUjRp+E=
=4nX+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to