On 26.12.19 11:22, Pattavee Sanchol wrote: > Dear support team > > I config tomcat server to enabled HSTS some request URI path not > response with Secure heading > > ... > > > I some request URI such as http://192.168.1.1/%20 is not response with > security hedering > > > this is working > > > image.png > this not working > image.png > Note: Images are stripped from the list, but I hope that I get the problem: You're trying to deliver the HSTS header for some, but not all of the requests coming in(?) (Otherwise, please correct)
I believe that this is chasing a ghost: It's a lot of work to make it happen, but doesn't have any meaningful advantage: If *any* request states that the server *only* wants to see HTTPS traffic, it doesn't matter if *more* requests also state the same: The server will need to provide proper answers to any HTTPS connection. You're basically asking everybody who ever saw the HSTS header during the last 31536000 seconds (your configuration) to rewrite a http-URL to a https-URL. Thus, I'd recommend to just not worry about any specific conditions to apply for those headers. Just send them - they don't harm, or make any difference. Or give us some more specific reasons that I might have missed. Olaf