Hey Peter, Yes, the context is ROOT as this app does have a ROOT component.
Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: l...@kreuser.name <l...@kreuser.name> > Sent: Friday, April 21, 2023 1:58 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > again, the Qualys Scanner usually does not know any other webcontexts > than root, manager and examples. So if you don't have a root context, it may > well end up in the woods and the result will not have a HSTS-Header. Can you > verify the requested resource? > > Best regards > > Peter > > > Am 21.04.2023 um 17:47 schrieb jonmcalexan...@wellsfargo.com.invalid > <jonmcalexan...@wellsfargo.com.INVALID>: > > > > Thank you Olaf, however, the connection was made over https directly to > Tomcat on port 8443. > > > > Thanks, > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > > >> -----Original Message----- > >> From: Olaf Kock <tom...@olafkock.de> > >> Sent: Friday, April 21, 2023 1:48 AM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> > >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID: > >>> No, there is no error and no stack trace. Everything works, just the > >>> hsts > >> header isn't in the list of headers. > >>> > >> The lowest hanging fruit: HSTS is only defined on https - on http it > >> doesn't have any meaning and Tomcat would be correct in not sending > >> it (I haven't looked at the source if it does, but it should be easy > >> to test) > >> > >> If you have a reverse proxy handling https & proxying through http, > >> Tomcat might not know that it'd be fine to send the header. (If that > >> is your case, there is the brute force "secure" attribute on the > >> connector > >> - use it only when there's no way to connect through http from > >> anywhere but your reverse proxy) > >> > >> This has bitten me a few times > >> > >> Olaf > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
