Jon,

On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote:
Thank you Olaf, however, the connection was made over https directly
to Tomcat on port 8443.
Sample curl with secrets removed?

-chris

-----Original Message-----
From: Olaf Kock <tom...@olafkock.de>
Sent: Friday, April 21, 2023 1:48 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73


Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
No, there is no error and no stack trace. Everything works, just the hsts
header isn't in the list of headers.

The lowest hanging fruit: HSTS is only defined on https - on http it doesn't
have any meaning and Tomcat would be correct in not sending it (I haven't
looked at the source if it does, but it should be easy to test)

If you have a reverse proxy handling https & proxying through http, Tomcat
might not know that it'd be fine to send the header. (If that is your case,
there is the brute force "secure" attribute on the connector
- use it only when there's no way to connect through http from anywhere
but your reverse proxy)

This has bitten me a few times

Olaf


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to