Re: OT: hsts in Tomcat 9.0.73

Tue, 25 Apr 2023 08:04:43 -0700 

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file
and
2. Deploy a ROOT application which has only a few things in it
and
3. Be present in webapps/ROOT/WEB-INF/web.xml


Having a missing ROOT application can cause a few weird things to 
happen. Having the ROOT means that you can always return e.g. a 404 
response even if there is no application deployed on /foo just in case. 
(This may have changed in the past few years, it used to be that a 
request for /foo would return 400 or something similar instead of 404).



It also means that your Tomcat installation doesn't have to be 
re-customized any time you upgrade it: just deploy your dummy-ROOT and 
your own application and you are all good.


What does your <Connector> look like for port 8443?

-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827 stating that the

hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
























					Reply via email to