Here is the output from a powershell command:

Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 
-MaximumRedirection 0 | Select-Object -ExpandProperty Headers

Key                    Value
---                    -----
X-Content-Type-Options nosniff
X-Frame-Options        SAMEORIGIN
X-XSS-Protection       1
Set-Cookie             JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; 
Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:39:55 
GMT; Path=/; Secure; HttpOnly,GU...
Location               https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license
Content-Length         0
Date                   Fri, 21 Apr 2023 20:57:47 GMT
Keep-Alive             timeout=60
Connection             keep-alive


Here is curl

curl -ikl --verbose https://HOST:8443 > op.txt

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
  Trying IP:8443...
* TCP_NODELAY set
* Connected to HOST (IP) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3806 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=; OU=; CN=
*  start date: Aug 10 16:35:12 2022 GMT
*  expire date: Aug  9 16:35:12 2024 GMT
*  issuer: C=US; O=; OU=; CN=
*  SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0} 
[5 bytes data]
> GET / HTTP/1.1
> Host: HOST:8443
> User-Agent: curl/7.65.3
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 302
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1
< Set-Cookie: JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; 
Secure; HttpOnly
< Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
Path=/; Secure; HttpOnly
< Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; 
Path=/; Secure; HttpOnly
< Location: https://HOST:8443/c/portal/license
< Content-Length: 0
< Date: Fri, 21 Apr 2023 21:00:44 GMT
<
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
* Connection #0 to host left intact

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Friday, April 21, 2023 1:17 PM
> To: users@tomcat.apache.org
> Subject: Re: OT: hsts in Tomcat 9.0.73
> 
> Jon,
> 
> On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thank you Olaf, however, the connection was made over https directly
> > to Tomcat on port 8443.
> Sample curl with secrets removed?
> 
> -chris
> 
> >> -----Original Message-----
> >> From: Olaf Kock <tom...@olafkock.de>
> >> Sent: Friday, April 21, 2023 1:48 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: OT: hsts in Tomcat 9.0.73
> >>
> >>
> >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
> >>> No, there is no error and no stack trace. Everything works, just the
> >>> hsts
> >> header isn't in the list of headers.
> >>>
> >> The lowest hanging fruit: HSTS is only defined on https - on http it
> >> doesn't have any meaning and Tomcat would be correct in not sending
> >> it (I haven't looked at the source if it does, but it should be easy
> >> to test)
> >>
> >> If you have a reverse proxy handling https & proxying through http,
> >> Tomcat might not know that it'd be fine to send the header. (If that
> >> is your case, there is the brute force "secure" attribute on the
> >> connector
> >> - use it only when there's no way to connect through http from
> >> anywhere but your reverse proxy)
> >>
> >> This has bitten me a few times
> >>
> >> Olaf
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to