RE: Is it possible to add hsts header over http response ?

[Hiran CHAUDHURI]

CONFIDENTIAL & RESTRICTED

Would/should this also cover cases where Tomcat is working on http or ajp 
although the connection is considered secure as SSL is offloaded to httpd or 
some other reverse proxy?

-----Original Message-----
From: Thomas Hoffmann (Speed4Trade GmbH) 
<thomas.hoffm...@speed4trade.com.INVALID>
Sent: Thursday, January 12, 2023 8:24
To: Tomcat Users List <users@tomcat.apache.org>
Subject: AW: Is it possible to add hsts header over http response ?

Hello,

HSTS only works via https. I think its not specified for HTTP and shouldn’t be 
used for this protocol.
So everything works as the specification defines.
You should not violate the specification and browsers won't care about this 
header in http anyway.

Greetings,
Thomas
Т                                                                     ХF  V 
7V'67& &R R   â W6W'2 V 7V'67& &T F  6B 6 R  &pФf "FF F    6    G2 
R   â W6W'2ֆV  F  6B 6 R  &pР
IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use 
of the individual or entity shown above as addressees . It may contain 
information which is privileged, confidential or otherwise protected from 
disclosure under applicable laws . If the reader of this transmission is not 
the intended recipient, you are hereby notified that any dissemination, 
printing, distribution, copying, disclosure or the taking of any action in 
reliance on the contents of this information is strictly prohibited. If you 
have received this transmission in error, please immediately notify us by reply 
e-mail or using the address below and delete the message and any attachments 
from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven 
Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 
85435 Erding Germany.