Jon, again, the Qualys Scanner usually does not know any other webcontexts than root, manager and examples. So if you don't have a root context, it may well end up in the woods and the result will not have a HSTS-Header. Can you verify the requested resource?
Best regards Peter > Am 21.04.2023 um 17:47 schrieb [email protected] > <[email protected]>: > > Thank you Olaf, however, the connection was made over https directly to > Tomcat on port 8443. > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Senior Infrastructure Engineer > Asst. Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > [email protected] > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > >> -----Original Message----- >> From: Olaf Kock <[email protected]> >> Sent: Friday, April 21, 2023 1:48 AM >> To: [email protected] >> Subject: Re: OT: hsts in Tomcat 9.0.73 >> >> >> Am 21.04.23 um 07:03 schrieb [email protected]: >>> No, there is no error and no stack trace. Everything works, just the hsts >> header isn't in the list of headers. >>> >> The lowest hanging fruit: HSTS is only defined on https - on http it doesn't >> have any meaning and Tomcat would be correct in not sending it (I haven't >> looked at the source if it does, but it should be easy to test) >> >> If you have a reverse proxy handling https & proxying through http, Tomcat >> might not know that it'd be fine to send the header. (If that is your case, >> there is the brute force "secure" attribute on the connector >> - use it only when there's no way to connect through http from anywhere >> but your reverse proxy) >> >> This has bitten me a few times >> >> Olaf >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
