James,
On 10/13/25 8:01 PM, James H. H. Lampert wrote:
On 10/13/25 4:36 PM, Christopher Schultz wrote:
Do you have any reverse proxy or anything like that? Does Tomcat serve
HTTPS directly? If not, it will not return HSTS headers.
Hmm. It is definitely serving HTTPS directly, because I'm seeing the
same cert serial number as the one in the Java Keystore I personally
plugged into their Tomcat server.
Okay. Can you show your Tomcat version number, security header filter
config, including the <filter-mapping> from web.xml, the context-path of
the web application, and a sample of:
curl -v https://example.com/yourapp/does_not_exist?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
