Hi James,
Am 13.10.25 um 17:30 schrieb James H. H. Lampert:
I've recently been asked to look into the HSTS parameters in the
httpHeaderSecurity filter. To date, I've only used the
anti-clickjacking parameters, and had no idea what HSTS even *is.*
As it stands, our Tomcat installations, at least those directly
exposed to the outside, are all set up as HTTPS-only, with no active
listener *at all* on 80 or 8080.
Do you have any question about this, that is missing in your original post?
HSTS can still help you, as even in case of a breach, or a MITM attack,
no browser (that has seen your site's HSTS header before) will ever even
try to access port 80, but automatically rewrite URLs to https.
The only drawback (if I remember correctly) is that it doesn't play
well with non-default ports, e.g. 8080, if it's exposed publically.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
