Hi all, Tomcat version: 9.0.37
Our website is running on Tomcat. We did Qualys vulnerability scan on our site. Scan shows below vulnerability. Insecure transport Group: Information Disclosure CWE CWE-319 OWASP A3 Sensitive Data Exposure WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION Please note 1. HTTP port is not enabled. 2. We have only opened HTTPS port 8443. But when we connect this HTTPS port with HTTP (http://www.oursite.com:8443/), we get an error "Bad Request. This combination of host and port requires TLS." 3. Due to the above error message, we get this vulnerability error from Qualys. 4. We have already enabled HSTS. 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It just finds someone is accessing HTTPS port with HTTP protocol and then just throws error 400 'Bad Request' 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' which should still be okay. We already tried to find the fix for this issue on the web but in vain. Kindly help if anyone has found a way to fix it. Regards, Pratik
