On 10/13/25 4:36 PM, Christopher Schultz wrote:
I agree with Olaf that the risk is minimal, but if you are super worried
you can do this: enable HSTS with a max-age of something short like 5
minutes. DO NOT ENABLE PRELOAD. Do not "include subdomains". Put it out
there and make sure you can load your test site.
Once you are happy that (a) the HSTS header is present and (b)
everything works, you can raise the max-age to something higher and more
useful. Qualys's SSL Server Test will give you a higher score if HSTS is
enabled and the max-age is high enough.
At this point, you can enable PRELOAD and the browser vendors will seed
their products with your site's domain in their HSTS lists. At this
point, no browser will ever visit your web site again with plain-old HTTP.
I tried it on the guinea-pig box with 60 seconds, and it worked, at
least far enough to present a sign-on page.
The complaint in the report is demanding that the max-age is less than a
full year, and that includeSubDomains is absent. So my second test is
with a full year, and includeSubDomains.
As to preload, (1) the word literally never occurs in the report with
the complaint, (2) the webapp is not intended for public use, and (3) no
browser has ever been able to visit it with "plain-old HTTP," because
(going back to Tomcat 7) it has never been set up to serve "plain-old
HTTP" (it's never been set up to even listen on 80 or 8080).
And . . . once I fixed a typo on the hstsIncludeSubDomains parameter
name . . .
It still works, and I'm able to sign on to it, and do simple operations
with it.
Thanks Messrs. Schultz and Kock for the hand-holding. Now about that
other question I had, concerning starting and stopping contexts from
"under the hood . . ."
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
