Trying to make a PCI-DSS compliant installation. It looks like this filter does everything that Apache can do with config files, so I'll leave it out. ________________________________________________
Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 ________________________________________________ -----BEGIN GEEK CODE BLOCK----- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* ------END GEEK CODE BLOCK------ On Fri, Apr 14, 2023 at 10:21 AM Mark Thomas <ma...@apache.org> wrote: > On 13/04/2023 23:03, Kevin Huntly wrote: > > Hello, > > With this filter enabled in Tomcat's web.xml: > > > > <filter> > > <filter-name>httpHeaderSecurity</filter-name> > > > > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > > <async-supported>true</async-supported> > > </filter> > > > > My sessions are being immediately lost. If I comment out the filter, > > everythis is fine. What does this filter actually do, > > > https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java > > > > and is it required if > > the front-end webserver already handles hsts? > > That depends on why you added the filter. What features were you trying > to enable? > > Mark > > > > ________________________________________________ > > > > Kevin Huntly > > Email: kmhun...@gmail.com > > Cell: 716/424-3311 > > ________________________________________________ > > > > -----BEGIN GEEK CODE BLOCK----- > > Version: 1.0 > > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- > > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) > > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ > > G++ e(+) h--- r+++ y+++* > > ------END GEEK CODE BLOCK------ > > >