No, there is no error and no stack trace. Everything works, just the hsts header isn't in the list of headers.
Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Peter Kreuser <l...@kreuser.name> > Sent: Thursday, April 20, 2023 4:44 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Any more details on the request? > > Are you hitting an error 400? Like with ip address on a name based host? > > That is handled prior to the filter and so you don't see the header! > > Peter > > > Am 20.04.2023 um 22:40 schrieb jonmcalexan...@wellsfargo.com.invalid: > > > > Hellow again. > > > > I hae another app team that is getting hit with a QID 11827 stating that the > hsts Security header is missing. We have reviewed the web.xml and the > appropriate section and filter are present. hstsEnabled is set to true. > Performing a curl aganst the site does NOT show the hsts STRICT header. > > > > WEB.XML > > > > -<filter> > > <filter-name>httpHeaderSecurity</filter-name> > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi > > lter-class> <async-supported>true</async-supported> > > <!-- Overriding default value of DENY. 4/27/2022 --> > > > > -<init-param> > > <param-name>antiClickJackingOption</param-name> > > <param-value>SAMEORIGIN</param-value> > > </init-param> > > > > -<init-param> > > <param-name>hstsEnabled</param-name> > > <param-value>true</param-value> > > </init-param> > > > > > > -<init-param> > > <param-name>hstsMaxAgeSeconds</param-name> > > <param-value>31536000</param-value> > > </init-param> > > > > > > -<init-param> > > <param-name>hstsIncludeSubDomains</param-name> > > <param-value>true</param-value> > > </init-param> > > > > </filter> > > > > -<filter-mapping> > > <filter-name>httpHeaderSecurity</filter-name> > > <url-pattern>/*</url-pattern> > > <dispatcher>REQUEST</dispatcher> > > </filter-mapping> > > > > > > Thank you, > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
