We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
We followed this note: https://knowledge.broadcom.com/external/article/226769/enable-http-strict-transport-security-hs.html Changed $CATALINA_HOME/conf/web.xml With: <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31556927</param-value> </init-param> </filter> And uncommented: <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd: curl -i -s https://finerp-apps-dev02.test.advanceauto.cloud/ords/apex_ext/r/advance-supplier-portal/home| grep -i Strict-Transport-Security I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
