Hello, > -----Ursprüngliche Nachricht----- > Von: Devatha Naga Puneeth <dnpunee...@gmail.com> > Gesendet: Donnerstag, 12. Januar 2023 06:52 > An: users@tomcat.apache.org > Betreff: Is it possible to add hsts header over http response ? > > Apache Tomcat Version : 9.0.65 > > <filter> > <filter-name>sts</filter-name> > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > <async-supported>true</async-supported> > <init-param> > <param-name>hstsEnabledForHttp</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>hstsMaxAgeSeconds</param-name> > <param-value>31536000</param-value> > </init-param> > <init-param> > <param-name>hstsIncludeSubDomains</param-name> > <param-value>true</param-value> > </init-param> > </filter> > > <filter-mapping> > <filter-name>sts</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > Used the above configuration in the conf/web.xml to add the hsts header . > It is adding hsts header over only https responses. > > Is it possible to add hsts header over http response through tomcat . If > possible > could you provide a way to add the hsts header over http 302 responses as > well.
HSTS only works via https. I think its not specified for HTTP and shouldn’t be used for this protocol. So everything works as the specification defines. You should not violate the specification and browsers won't care about this header in http anyway. Greetings, Thomas
