AW: HSTS on 401 / error pages

2023-09-17 Thread Thomas Hoffmann (Speed4Trade GmbH)
it as a "cosmetic imperfection" and maybe ask also the burpsuite-team if this finding is justified. I wish all a nice weekend! Thomas > -Ursprüngliche Nachricht- > Von: Roberto Benedetti > Gesendet: Samstag, 16. September 2023 11:46 > An: Tomcat Users List > Betreff: R:

R: HSTS on 401 / error pages

2023-09-16 Thread Roberto Benedetti
, the other security options are left to Tomcat. We had the same issue and that's how we passed the pen-test. Roberto -Messaggio originale- Da: Peter Kreuser Inviato: venerdì 15 settembre 2023 21:34 A: Tomcat Users List Oggetto: Re: HSTS on 401 / error pages CAUTION - This e-mail

Re: HSTS on 401 / error pages

2023-09-15 Thread Peter Kreuser
; -Ursprüngliche Nachricht- >> Von: Christopher Schultz >> Gesendet: Freitag, 15. September 2023 17:15 >> An: users@tomcat.apache.org >> Betreff: Re: AW: HSTS on 401 / error pages >> >> Thomas, >> >>> On 9/14/23 10:03, Thomas Hoffmann

AW: AW: HSTS on 401 / error pages

2023-09-15 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello Christ, > -Ursprüngliche Nachricht- > Von: Christopher Schultz > Gesendet: Freitag, 15. September 2023 17:15 > An: users@tomcat.apache.org > Betreff: Re: AW: HSTS on 401 / error pages > > Thomas, > > On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade G

Re: AW: HSTS on 401 / error pages

2023-09-15 Thread Christopher Schultz
Thomas, On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello Chris, -Ursprüngliche Nachricht- Von: Christopher Schultz Gesendet: Donnerstag, 14. September 2023 15:26 An: users@tomcat.apache.org Betreff: Re: HSTS on 401 / error pages Thomas, Please start a new thread

AW: AW: HSTS on 401 / error pages

2023-09-15 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello Shawn, > -Ursprüngliche Nachricht- > Von: Shawn Heisey > Gesendet: Freitag, 15. September 2023 03:56 > An: Tomcat Users List > Betreff: Re: AW: HSTS on 401 / error pages > > On 9/14/23 08:03, Thomas Hoffmann (Speed4Trade GmbH) wrote: > > Sorry, I t

Re: AW: HSTS on 401 / error pages

2023-09-14 Thread Shawn Heisey
On 9/14/23 08:03, Thomas Hoffmann (Speed4Trade GmbH) wrote: Sorry, I thought removing all content and subject is sufficient. Maybe the message-id header is used internally(?) TL;DR: technical details about message threading. Not about Tomcat. This is what happens when you reply to an

Re: HSTS on 401 / error pages

2023-09-14 Thread logo
s, > >> -Ursprüngliche Nachricht- >> Von: Christopher Schultz >> Gesendet: Donnerstag, 14. September 2023 15:26 >> An: users@tomcat.apache.org >> Betreff: Re: HSTS on 401 / error pages >> >> Thomas, >> >> Please start a new

AW: HSTS on 401 / error pages

2023-09-14 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello Chris, > -Ursprüngliche Nachricht- > Von: Christopher Schultz > Gesendet: Donnerstag, 14. September 2023 15:26 > An: users@tomcat.apache.org > Betreff: Re: HSTS on 401 / error pages > > Thomas, > > Please start a new thread next time. Sorry, I t

Re: HSTS on 401 / error pages

2023-09-14 Thread Christopher Schultz
Thomas, Please start a new thread next time. On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello everyone, I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat. I configured HSTS in Tomcat and it works well. When I do a pen-test with burpsuite it

HSTS on 401 / error pages

2023-09-14 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello everyone, I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat. I configured HSTS in Tomcat and it works well. When I do a pen-test with burpsuite it complains that HSTS header is missing on 401 responses. I couldn’t find much information about whether HSTS makes