Shawn,
On 1/12/23 20:48, Shawn Heisey wrote:
On 1/12/23 01:34, Mark Thomas wrote:
On 12/01/2023 08:26, Hiran CHAUDHURI wrote:
In that case the Connector would need to be configured with
secure="true" to work correctly/securely and the
HttpHeaderSecurityFilter would add the HSTS header if configured to do
so.
My personal opinion is that the header should be added by whatever is
handling the TLS.
+1
Only the TLS terminator knows whether or not HSTS is appropriate.
I don't have Tomcat in my current setups, but the piece handling TLS for
me is haproxy. In a lot of cases it will be Apache httpd. My haproxy
frontend config has this:
http-after-response set-header Strict-Transport-Security
"max-age=16000000; includeSubDomains; preload;"
For Apache httpd, it's:
Header always set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload;"
The max-age is up to you, as are the other parameters.
CORS is a whole other matter in httpd. I feel like I spend forever
getting that to work as hoped.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
