Hi, I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core) and trying to configure HTTP Strict Transport Security (HSTS) using /opt/tomcat9/conf/web.xml
# ./version.sh Using CATALINA_BASE: /opt/tomcat9 Using CATALINA_HOME: /opt/tomcat9 Using CATALINA_TMPDIR: /opt/tomcat9/temp Using JRE_HOME: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64 Using CLASSPATH: /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar Using CATALINA_OPTS: Server version: Apache Tomcat/9.0.56 Server built: Dec 2 2021 14:30:07 UTC Server number: 9.0.56.0 OS Name: Linux OS Version: 3.10.0-1160.62.1.el7.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc. # cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) # > */opt/tomcat9/conf/web.xml*<filter> > <filter-name>httpHeaderSecurity</filter-name> > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > <async-supported>true</async-supported> > <init-param> > <param-name>hstsEnabled</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>hstsMaxAgeSeconds</param-name> > <param-value>31536000</param-value> > </init-param> > <init-param> > <param-name>hstsIncludeSubDomains</param-name> > <param-value>true</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>httpHeaderSecurity</filter-name> > <url-pattern>/*</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> When I scan the https://tomcatURL FQDN using https://www.ssllabs.com/ssltest/ I do not see the Strict Transport Security response header. Please guide me. Thanks in advance Best Regards, Kaushal
