On 09/06/2023 19:34, Amit Pande wrote:
Hello,
Wanted some inputs on setting HSTS (or other response headers) when returning
error from a valve.
The server.xml has the valve "org.apache.catalina.valves.RemoteAddrValve"
configured with a deny status of HTTP 404.
Also, the Tomcat's web.xml has
"org.apache.catalina.filters.HttpHeaderSecurityFilter" confugred.
The requirement is to set the security related headers even when the request is denied
from the "org.apache.catalina.valves.RemoteAddrValve", which I don't see being
set.
What is the right way to address such requirement?
Did I miss anything here?
Valves are before filters in the processing chain. If a Valve rejects a
request, a Filter will never see it.
If you switched to the RemoteAddrFilter, you could control the order the
Filters are applied.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
