> -----Ursprüngliche Nachricht----- > Von: Christopher Schultz <ch...@christopherschultz.net> > Gesendet: Freitag, 29. April 2022 01:10 > An: users@tomcat.apache.org > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > Kaushal, > > On 4/28/22 15:37, Kaushal Shriyan wrote: > > On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu <pc8...@gmail.com> wrote: > > > >> This is what I am using. Hope this helps. > >> > >> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html > > > > Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable > > HTTP Strict Transport Security (HSTS). I will be unable to run tomcat > > service on port 443 as it is a privileged port for root user only. > > Currently I am running tomcat service as tomcat user on port 8080. > > You must use HTTPS to connect to a server in order for the HSTS header to be > respected. > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict- > Transport-Security > > " > Note: The Strict-Transport-Security header is ignored by the browser when > your site is accessed using HTTP; this is because an attacker may intercept > HTTP connections and inject the header or remove it. When your site is > accessed over HTTPS with no certificate errors, the browser knows your site > is HTTPS capable and will honor the Strict-Transport-Security header. > " > > Is your server available via https:// ? If you are running on port 80, that > doesn't tell us if it's encrypted. > > If you are enabling HSTS, how do you expect users to connect to your service > if you are running non-secure HTTP on port 8080? > > -chris >
Hello, according to https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java the headers are set, if request.isSecure is set to true. So it depends on <Connector secure="true" .../> within the server.xml If behind a proxy with SSL Offloading, this flag can also be set on a plain http connection. Greetings, Thomas
