Kaushal,
On 4/28/22 15:37, Kaushal Shriyan wrote:
On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu <pc8...@gmail.com> wrote:
This is what I am using. Hope this helps.
https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html
Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP
Strict Transport Security (HSTS). I will be unable to run tomcat service on
port 443 as it is a privileged port for root user only. Currently I am
running tomcat service as tomcat user on port 8080.
You must use HTTPS to connect to a server in order for the HSTS header
to be respected.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
"
Note: The Strict-Transport-Security header is ignored by the browser
when your site is accessed using HTTP; this is because an attacker may
intercept HTTP connections and inject the header or remove it. When your
site is accessed over HTTPS with no certificate errors, the browser
knows your site is HTTPS capable and will honor the
Strict-Transport-Security header.
"
Is your server available via https:// ? If you are running on port 80,
that doesn't tell us if it's encrypted.
If you are enabling HSTS, how do you expect users to connect to your
service if you are running non-secure HTTP on port 8080?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org