On 1/12/23 01:34, Mark Thomas wrote:
On 12/01/2023 08:26, Hiran CHAUDHURI wrote:
In that case the Connector would need to be configured with
secure="true" to work correctly/securely and the
HttpHeaderSecurityFilter would add the HSTS header if configured to do so.
My personal opinion is that the header should be added by whatever is
handling the TLS.
I don't have Tomcat in my current setups, but the piece handling TLS for
me is haproxy. In a lot of cases it will be Apache httpd. My haproxy
frontend config has this:
http-after-response set-header Strict-Transport-Security
"max-age=16000000; includeSubDomains; preload;"
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
