This is what I am using. Hope this helps. https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html
On Thu, Apr 28, 2022 at 3:11 PM Kaushal Shriyan <kaushalshri...@gmail.com> wrote: > Hi, > > I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 > (Core) and trying to configure HTTP Strict Transport Security (HSTS) > using /opt/tomcat9/conf/web.xml > > # ./version.sh > Using CATALINA_BASE: /opt/tomcat9 > Using CATALINA_HOME: /opt/tomcat9 > Using CATALINA_TMPDIR: /opt/tomcat9/temp > Using JRE_HOME: > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64 > Using CLASSPATH: > /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar > Using CATALINA_OPTS: > Server version: Apache Tomcat/9.0.56 > Server built: Dec 2 2021 14:30:07 UTC > Server number: 9.0.56.0 > OS Name: Linux > OS Version: 3.10.0-1160.62.1.el7.x86_64 > Architecture: amd64 > JVM Version: 1.8.0_322-b06 > JVM Vendor: Red Hat, Inc. > # cat /etc/redhat-release > CentOS Linux release 7.9.2009 (Core) > # > > > > */opt/tomcat9/conf/web.xml*<filter> > > <filter-name>httpHeaderSecurity</filter-name> > > > > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> > > <async-supported>true</async-supported> > > <init-param> > > <param-name>hstsEnabled</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>hstsMaxAgeSeconds</param-name> > > <param-value>31536000</param-value> > > </init-param> > > <init-param> > > <param-name>hstsIncludeSubDomains</param-name> > > <param-value>true</param-value> > > </init-param> > > </filter> > > <filter-mapping> > > <filter-name>httpHeaderSecurity</filter-name> > > <url-pattern>/*</url-pattern> > > <dispatcher>REQUEST</dispatcher> > > </filter-mapping> > > > When I scan the https://tomcatURL FQDN using > https://www.ssllabs.com/ssltest/ I do not see the Strict Transport > Security > response header. Please guide me. Thanks in advance > > Best Regards, > > Kaushal >
