Jon,
On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
It's the Server level web.xml in conf
So it applies to all web applications.
I would recommend that you change that configuration to:
1. Be present in your own web application's WEB-INF/web.xml file
and
2. Deploy a ROOT application which has only a few things in it
and
3. Be present in webapps/ROOT/WEB-INF/web.xml
Having a missing ROOT application can cause a few weird things to
happen. Having the ROOT means that you can always return e.g. a 404
response even if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a
request for /foo would return 400 or something similar instead of 404).
It also means that your Tomcat installation doesn't have to be
re-customized any time you upgrade it: just deploy your dummy-ROOT and
your own application and you are all good.
What does your <Connector> look like for port 8443?
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
Hellow again.
I hae another app team that is getting hit with a QID 11827 stating that the
hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.
WEB.XML
Which web.xml? And is the filename really capitalized?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org