Hello, Wanted some inputs on setting HSTS (or other response headers) when returning error from a valve.
The server.xml has the valve "org.apache.catalina.valves.RemoteAddrValve" configured with a deny status of HTTP 404. Also, the Tomcat's web.xml has "org.apache.catalina.filters.HttpHeaderSecurityFilter" confugred. The requirement is to set the security related headers even when the request is denied from the "org.apache.catalina.valves.RemoteAddrValve", which I don't see being set. What is the right way to address such requirement? Did I miss anything here? Thanks, Amit
