Re: Is it possible to add hsts header over http response ?

Mark Thomas Thu, 12 Jan 2023 00:34:15 -0800

On 12/01/2023 08:26, Hiran CHAUDHURI wrote:

CONFIDENTIAL & RESTRICTED


Would/should this also cover cases where Tomcat is working on http or ajp 
although the connection is considered secure as SSL is offloaded to httpd or 
some other reverse proxy?

In that case the Connector would need to be configured withsecure="true" to work correctly/securely and theHttpHeaderSecurityFilter would add the HSTS header if configured to do so.


Mark

-----Original Message-----
From: Thomas Hoffmann (Speed4Trade GmbH) 
<thomas.hoffm...@speed4trade.com.INVALID>
Sent: Thursday, January 12, 2023 8:24
To: Tomcat Users List <users@tomcat.apache.org>
Subject: AW: Is it possible to add hsts header over http response ?

Hello,

HSTS only works via https. I think its not specified for HTTP and shouldn’t be 
used for this protocol.
So everything works as the specification defines.
You should not violate the specification and browsers won't care about this 
header in http anyway.

Greetings,
Thomas
Т                                                                     ХF  V 7V'67& &R R   â W6W'2 
V 7V'67& &T F  6B 6 R  &pФf "FF F    6    G2 R   â W6W'2ֆV  F  6B 6 R  
&pР
IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use 
of the individual or entity shown above as addressees . It may contain 
information which is privileged, confidential or otherwise protected from 
disclosure under applicable laws . If the reader of this transmission is not 
the intended recipient, you are hereby notified that any dissemination, 
printing, distribution, copying, disclosure or the taking of any action in 
reliance on the contents of this information is strictly prohibited. If you 
have received this transmission in error, please immediately notify us by reply 
e-mail or using the address below and delete the message and any attachments 
from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven 
Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 
85435 Erding Germany.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to add hsts header over http response ?

Reply via email to