Jon, again, the Qualys Scanner usually does not know any other webcontexts than root, manager and examples. So if you don't have a root context, it may well end up in the woods and the result will not have a HSTS-Header. Can you verify the requested resource?
Best regards Peter > Am 21.04.2023 um 17:47 schrieb jonmcalexan...@wellsfargo.com.invalid > <jonmcalexan...@wellsfargo.com.INVALID>: > > Thank you Olaf, however, the connection was made over https directly to > Tomcat on port 8443. > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Senior Infrastructure Engineer > Asst. Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > >> -----Original Message----- >> From: Olaf Kock <tom...@olafkock.de> >> Sent: Friday, April 21, 2023 1:48 AM >> To: users@tomcat.apache.org >> Subject: Re: OT: hsts in Tomcat 9.0.73 >> >> >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID: >>> No, there is no error and no stack trace. Everything works, just the hsts >> header isn't in the list of headers. >>> >> The lowest hanging fruit: HSTS is only defined on https - on http it doesn't >> have any meaning and Tomcat would be correct in not sending it (I haven't >> looked at the source if it does, but it should be easy to test) >> >> If you have a reverse proxy handling https & proxying through http, Tomcat >> might not know that it'd be fine to send the header. (If that is your case, >> there is the brute force "secure" attribute on the connector >> - use it only when there's no way to connect through http from anywhere >> but your reverse proxy) >> >> This has bitten me a few times >> >> Olaf >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org