-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 4:40 PM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/25/23 13:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
<Connector port="8443" keystorePass="REMOVED"
keystoreFile="REMOVED"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_
WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_R
SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SH
A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_12
8_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WIT
H_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WI
TH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA
_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA
_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementati
on"
sslEnabledProtocols=" TLSv1.2" sslProtocol="TLS" clientAuth="false"
secure="true" scheme="https" SSLEnabled="true" maxThreads="150"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
Here is the code for the HSTS part of the Filter:
// HSTS
if (hstsEnabled && request.isSecure()) {
httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
}
I was wondering if maybe secure="true" wasn't there, but you have it.
:hmm:
What's the name of application artifact? Like the WAR file or WAR-directoery
in webapps/ ? Are you deploying it multiple times -- say, from both auto-
deployment *and also* with a <Context> in conf/server.xml?
Your copy/paste of web.xml has a bunch of leading - symbols before each of
the <open-elements> e.g.:
-<filter>
<filter-name>httpHeaderSecurity</filter-name>
Is that just an artifact from the XML editor/viewer you are using?
I can see these headers which should also be coming from the
HttpHeaderSecurityFilter:
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1
(Although the documentation suggests that the value for X-XSS-Protection
should be "1; mode=block" and it isn't in the above header value.)
Are you able to change the configuration and/or add some code/config?
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 10:04 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/25/23 10:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
It's the Server level web.xml in conf
So it applies to all web applications.
I would recommend that you change that configuration to:
1. Be present in your own web application's WEB-INF/web.xml file and 2.
Deploy a ROOT application which has only a few things in it and 3. Be
present in webapps/ROOT/WEB-INF/web.xml
Having a missing ROOT application can cause a few weird things to
happen.
Having the ROOT means that you can always return e.g. a 404 response
even if there is no application deployed on /foo just in case.
(This may have changed in the past few years, it used to be that a
request for /foo would return 400 or something similar instead of 404).
It also means that your Tomcat installation doesn't have to be
re-customized any time you upgrade it: just deploy your dummy-ROOT
and your own application and you are all good.
What does your <Connector> look like for port 8443?
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, April 25, 2023 9:15 AM
To: users@tomcat.apache.org
Subject: Re: OT: hsts in Tomcat 9.0.73
Jon,
On 4/20/23 16:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
Hellow again.
I hae another app team that is getting hit with a QID 11827
stating that the
hsts Security header is missing. We have reviewed the web.xml and
the appropriate section and filter are present. hstsEnabled is set to
true.
Performing a curl aganst the site does NOT show the hsts STRICT
header.
WEB.XML
Which web.xml? And is the filename really capitalized?
-chris
-------------------------------------------------------------------
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------
- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org