Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID:
No, there is no error and no stack trace. Everything works, just the hsts
header isn't in the list of headers.
The lowest hanging fruit: HSTS is only defined on https - on http it
doesn't have any meaning and Tomcat would be correct in not sending it
(I haven't looked at the source if it does, but it should be easy to test)
If you have a reverse proxy handling https & proxying through http,
Tomcat might not know that it'd be fine to send the header. (If that is
your case, there is the brute force "secure" attribute on the connector
- use it only when there's no way to connect through http from anywhere
but your reverse proxy)
This has bitten me a few times
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org