Re: OT: hsts in Tomcat 9.0.73

Thu, 27 Apr 2023 13:35:20 -0700 

Jon,

On 4/27/23 12:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Ok, thank you.



Sure. Now you just need to figure out why it's not actually having the 
intended effect.


*SOME* of the headers are being produced, but not all.


The filter itself has no logging whatsosver, so I think you'll have to 
follow Olaf's suggestion of running it under a debugger if you want 
immediate clarity on what's happening.


-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, April 27, 2023 10:16 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/26/23 13:04, jonmcalexan...@wellsfargo.com.INVALID wrote:

Qualsys only checks ROOT (/), as it's the only context it could
possibly know about. The team does have a ROOT webapps which is
different from the one supplied with Tomcat.

Understood. I thought your main application was ROOT. It's not super
important. Just use the "dummy ROOT" for this purpose. I think it's easier to
modifying the base Tomcat install every time you upgrade.


Can you show me where in the application web.xml to specify the
headers? I'm not that familiar with things at that level, just at the
server level.

It should be the same as what you put into conf/web.xml: just define the
<filter> and add <filter-mapping>/*</filter-mapping>.

-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 4:40 PM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:

<Connector port="8443" keystorePass="REMOVED"

keystoreFile="REMOVED"





ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_



WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256



,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_



128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R



SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH



A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12



8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT



H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI



TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA



_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA

_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"





sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa

ti
on"

sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>

Here is the code for the HSTS part of the Filter:

       // HSTS
       if (hstsEnabled && request.isSecure()) {
           httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
       }

I was wondering if maybe secure="true" wasn't there, but you have it.

:hmm:

What's the name of application artifact? Like the WAR file or
WAR-directoery in webapps/ ? Are you deploying it multiple times --
say, from both auto- deployment *and also* with a <Context> in

conf/server.xml?


Your copy/paste of web.xml has a bunch of leading - symbols before
each of the <open-elements> e.g.:

-<filter>
<filter-name>httpHeaderSecurity</filter-name>

Is that just an artifact from the XML editor/viewer you are using?

I can see these headers which should also be coming from the
HttpHeaderSecurityFilter:


X-Content-Type-Options nosniff
X-Frame-Options        SAMEORIGIN
X-XSS-Protection       1


(Although the documentation suggests that the value for
X-XSS-Protection should be "1; mode=block" and it isn't in the above
header value.)

Are you able to change the configuration and/or add some code/config?

-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:

It's the Server level web.xml in conf


So it applies to all web applications.

I would recommend that you change that configuration to:

1. Be present in your own web application's WEB-INF/web.xml file and

2.

Deploy a ROOT application which has only a few things in it and 3.
Be present in webapps/ROOT/WEB-INF/web.xml

Having a missing ROOT application can cause a few weird things to

happen.

Having the ROOT means that you can always return e.g. a 404
response even if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a
request for /foo would return 400 or something similar instead of 404).

It also means that your Tomcat installation doesn't have to be
re-customized any time you upgrade it: just deploy your dummy-ROOT
and your own application and you are all good.

What does your <Connector> look like for port 8443?

-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73

Jon,

On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hellow again.

I hae another app team that is getting hit with a QID 11827
stating that the

hsts Security header is missing. We have reviewed the web.xml and
the appropriate section and filter are present. hstsEnabled is
set to

true.

Performing a curl aganst the site does NOT show the hsts STRICT

header.


WEB.XML


Which web.xml? And is the filename really capitalized?

-chris

-----------------------------------------------------------------
--
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



------------------------------------------------------------------
--
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-------------------------------------------------------------------
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--------------------------------------------------------------------
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

























					Reply via email to