-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Pattavee,
On 12/26/19 05:22, Pattavee Sanchol wrote: > Dear support team > > I config tomcat server to enabled HSTS some request URI path not > response with Secure heading > > The configuration illustrated below > > <filter> > > <filter-name>httpHeaderSecurity</filter-name> > > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi lter-class> > > <async-supported>true</async-supported> > > <init-param> > > <param-name>hstsEnabled</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>hstsIncludeSubDomains</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>hstsMaxAgeSeconds</param-name> > > <param-value>31536000</param-value> > > </init-param> > > <init-param> > > <param-name>antiClickJackingEnabled</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>antiClickJackingOption</param-name> > > <param-value>SAMEORIGIN</param-value> > > </init-param> > > </filter> > > > <filter-mapping> > > <filter-name>httpHeaderSecurity</filter-name> > > <url-pattern>/*</url-pattern> > > <dispatcher>REQUEST</dispatcher> > > </filter-mapping> > > > I some request URI such as http://192.168.1.1/%20 is not response > with security hedering > > > this is working > > > image.png this not working image.png Please suggest me to solve > this problem. You configured this filter in your web application, right? I'm guessing this is not the root application, but instead something like /myapp ? If that's the case, then requesting http://192.168.1.1/%20 will map to the ROOT web application which doesn't have HSTS configured. You will need to add this <filter> to the ROOT web application, which is usually found in CATALINA_BASE/webapps/ROOT. You may have specifically configured it to be somewhere else, though. Our applications at $work are also deployed as /myapp but our build process always generates a "dummy" ROOT application that handles things like 404 responses to things that don't start with /myapp. Consider doing the same with your build: build your myapp.war (or whatever) and then also build a ROOT.war (or similar) which contains the minimal configuration you need to accomplish your goals, such as the HSTS response headers, and maybe a catch-all error handler that redirects people to /myapp or something similar. As for HSTS being served from Tomcat... you might consider doing that at the reverse-proxy level. My experience has been that having a single Tomcat isn't enough for a production-quality deployment for both fail-over and maintenance purposes. It's always a good idea to have a load-balancer even if you don't have so much load that a single server can handle it. If you have a lb/reverse-proxy, then HSTS is best handled there because it's usually easier to apply it to the whole site. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJ38ACgkQHPApP6U8 pFjZHg//TBEc6qs0vxQJMiscnxt0a+Fhwf0QPQcwTyO7WqnvmQk+pHhUEBbsyjPb +Bj6fV4Qx9fX2HGBvrMKO6bGBXEGsjowUJr72OrQXjx1xsgfEIlzF8aSEG+DQWtF XaswAcMA0LTncAYxZHM7rXItwLjH9JzD1Tc6wAkBZifPXuxw8iTUssBvGfT5WrcY BSI2oOQ4uW7q1HYA81pm/jJMi0kbk6MhQk3ENagB24/BCDCXr/bEBOKGdVLGvFKH c8etGdg2T7MJuEs232ug9tnu5balMzpDSoeqnrhnX84hnpHfZ87IDXVnvagkv3MB fkL0+VwQhP1mHF9d/EMMO5OZHLoalTrcDOXJs6sHldlywkS0pqhb8ucV0vxKISmD ox1TT3RqzFM200+ssc7o0dt7xWaX4HfQ8+/kpdLhjpq9+BNJhZ/hrxH13hlGQDNF INLZyHuJvahQiS4i/7qKlIrra2CDHfFpfPYGJkpWDgCWvrpTItpKUr5aH9x5CX/L zlmeIsYqD/Z4cl7N8H1Cf7Pmw6t24ihtozveyxJMm5Kix2VCo3akkEVdfNxRnUCI 2MDzKPqE1j7myWUXiSM4gK83z4RdUzXPagBlLrqhJH6LFrHfAdgOdnIQoKTzo7SE GQbifq2pq5T6M5TWwlOl/ZtkL/UzYWmsGf2e/lEgoJjvw66wFVo= =Uk5h -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
