On 16.01.23 06:57, Deepti Sharma S wrote:
Hello Team,
Can you please help us for below query:
Query : How to enable HSTS in Apache Tomcat on non-default ports?
We have custom ports for http and https and we want to enable HSTS on
those custom ports.
Note: We could see HSTS is working with default ports 80/443 though it's not
working on other custom ports, please let us know if there are different steps
to enable HSTS on non-default ports.
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see
the headers, but it's not working. Most likely the header is ignored by
the browser.
Whereever you handle your https termination - that might be on Tomcat,
or on a reverse proxy that sees traffic before Tomcat does - you'll best
do the HSTS handling. /That/ server knows it's serving https. And there
the header actually is valid and working.
If you try to configure a http (not https) connector on Tomcat for
adding the HSTS headers, it's well within the specification to ignore
that setting.
Technically you can do some trickery around that, but to make that
sensible and safely would take more than a quick answer. And leave room
for misinterpretation and configuration mistakes. So: Configure it
anyhwere you terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
