Thomas,
Please start a new thread next time.
On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Hello everyone,
I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat.
I configured HSTS in Tomcat and it works well.
When I do a pen-test with burpsuite it complains that HSTS header is missing on
401 responses.
I couldn’t find much information about whether HSTS makes sense for error pages.
It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite expects the
header.
Are there any pros and cons about sending HSTS on 401 response?
You should always return an HSTS header.
How have you configured your HttpHeaderSecurityFilter? What is causing
the 401 response? Which application is responding with that status?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
