AW: HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Chris,

> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz <ch...@christopherschultz.net>
> Gesendet: Donnerstag, 14. September 2023 15:26
> An: users@tomcat.apache.org
> Betreff: Re: HSTS on 401 / error pages
> 
> Thomas,
> 
> Please start a new thread next time.

Sorry, I thought removing all content and subject is sufficient. Maybe the 
message-id header is used internally(?)

> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello everyone,
> >
> > I would like to get your opinion about the HttpHeaderSecurityFilter in
> Tomcat.
> > I configured HSTS in Tomcat and it works well.
> > When I do a pen-test with burpsuite it complains that HSTS header is
> missing on 401 responses.
> > I couldn’t find much information about whether HSTS makes sense for
> error pages.
> >
> > It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite
> expects the header.
> > Are there any pros and cons about sending HSTS on 401 response?
> 
> You should always return an HSTS header.
> 
> How have you configured your HttpHeaderSecurityFilter? What is causing the
> 401 response? Which application is responding with that status?
> 
> -chris
> 

Here are the requested details:

SecurityFilter is set in the web.xml of the application:
<filter>
       <filter-name>httpHeaderSecurity</filter-name>
       
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
       <async-supported>true</async-supported>
       <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
       </init-param>
...

Further down in the web.xml is a constraint:
   <security-constraint>
         <web-resource-collection>
             <web-resource-name>xxx</web-resource-name>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>

         <auth-constraint>
             <role-name>yyy</role-name>
         </auth-constraint>

         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>


There is no frontend-server, tomcat is directly accessed from the browser.
It seems that burpsuite didn’t send authentication in the first place and this 
resulted in 401.

If I use curl https://<domain>/  I get similar result:
< HTTP/1.1 401
< WWW-Authenticate: Negotiate
< Content-Type: text/html;charset=utf-8
< Content-Language: de
< Content-Length: 439
< Date: Thu, 14 Sep 2023 13:58:10 GMT

When providing credentials to curl, the following headers are also included:
< Strict-Transport-Security: max-age=31536000;includeSubDomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block

I hope this information helps.

Thanks in advance!
Thomas