Pratik, > Am 25.08.2020 um 12:14 schrieb Pratik Shrestha <pratik...@gmail.com>: > > Hi all, > > Tomcat version: 9.0.37 > > Our website is running on Tomcat. We did Qualys vulnerability scan on our > site. Scan shows below vulnerability. > > Insecure transport > Group: Information Disclosure > CWE CWE-319 > OWASP A3 Sensitive Data Exposure > WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION > > Please note > 1. HTTP port is not enabled.
Which port does it complain on? Maybe it’s not Tomcat, but another service? > 2. We have only opened HTTPS port 8443. But when we connect this HTTPS port > with HTTP (http://www.oursite.com:8443/), we get an error "Bad Request. This > combination of host and port requires TLS." > 3. Due to the above error message, we get this vulnerability error from > Qualys. > 4. We have already enabled HSTS. > 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it > never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It just > finds someone is accessing HTTPS port with HTTP protocol and then just > throws error 400 'Bad Request' > 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' which > should still be okay. > > We already tried to find the fix for this issue on the web but in vain. > > Kindly help if anyone has found a way to fix it. > > Regards, > Pratik Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
