Jon,
On 4/25/23 11:33, jonmcalexan...@wellsfargo.com.INVALID wrote:
There is a ROOT application which is part of the overall app and not
the default Tomcat one. How should this be added to those web.xml files?
If you deploy your own webapp as ROOT then you should place that HSTS
configuration in ROOT/WEB-INF/web.xml and nowhere else.
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
It's the Server level web.xml in conf
So it applies to all web applications.
I would recommend that you change that configuration to:
1. Be present in your own web application's WEB-INF/web.xml file and 2.
Deploy a ROOT application which has only a few things in it and 3. Be present
in webapps/ROOT/WEB-INF/web.xml
Having a missing ROOT application can cause a few weird things to happen.
Having the ROOT means that you can always return e.g. a 404 response even
if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a request for
/foo would return 400 or something similar instead of 404).
It also means that your Tomcat installation doesn't have to be re-customized
any time you upgrade it: just deploy your dummy-ROOT and your own
application and you are all good.
What does your <Connector> look like for port 8443?
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
Hellow again.
I hae another app team that is getting hit with a QID 11827 stating
that the
hsts Security header is missing. We have reviewed the web.xml and the
appropriate section and filter are present. hstsEnabled is set to true.
Performing a curl aganst the site does NOT show the hsts STRICT header.
WEB.XML
Which web.xml? And is the filename really capitalized?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
