Am 09.02.2016 um 15:10 schrieb Christopher Schultz: > On 2/9/16 6:28 AM, dku...@ccilindia.co.in wrote: > > > and then VA test results show that HSTS is not configured. > > It looks like "VA test" has a broken client: it's not issuing a valid > HTTP request.
Just to make sure it's not the most obvious things that we're missing here: HSTS headers /only/ make sense on HTTPS connections, never on HTTP connections. Also, they'll only work when using the default ports 80 and 443, as any HSTS-redirect will happily rewrite access to http://www.example.com:8080/ to https://www.example.com:8080/ - and this might easily result in protocol errors as you now no longer "speak" HTTP on port 8080, but HTTPS. Please confirm that * You're running on ports 80 and 443 * You're expecting the HSTS header purely on https connections * You're not using ports 8080 and 8443 or any other non-80 and non-443 port Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org