Re: AW: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

Fri, 29 Apr 2022 11:47:57 -0700 

Thomas,

On 4/29/22 02:44, Thomas Hoffmann (Speed4Trade GmbH) wrote:

-----Ursprüngliche Nachricht-----
Von: Christopher Schultz <ch...@christopherschultz.net>
Gesendet: Freitag, 29. April 2022 01:10
An: users@tomcat.apache.org
Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

Kaushal,

On 4/28/22 15:37, Kaushal Shriyan wrote:

On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu <pc8...@gmail.com> wrote:


This is what I am using. Hope this helps.

https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html


Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable
HTTP Strict Transport Security (HSTS). I will be unable to run tomcat
service on port 443 as it is a privileged port for root user only.
Currently I am running tomcat service as tomcat user on port 8080.


You must use HTTPS to connect to a server in order for the HSTS header to be
respected.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-
Transport-Security

"
Note: The Strict-Transport-Security header is ignored by the browser when
your site is accessed using HTTP; this is because an attacker may intercept
HTTP connections and inject the header or remove it. When your site is
accessed over HTTPS with no certificate errors, the browser knows your site
is HTTPS capable and will honor the Strict-Transport-Security header.
"

Is your server available via https:// ? If you are running on port 80, that
doesn't tell us if it's encrypted.

If you are enabling HSTS, how do you expect users to connect to your service
if you are running non-secure HTTP on port 8080?

-chris



Hello,
according to 
https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
the headers are set, if request.isSecure is set to true.
Sure, but the browser will ignore it if not served over HTTPS. It's possible to trick Tomcat into thinking that the connection is secure even when the client isn't using HTTPS.
(BTW, that's a really old source file. Here's the latest: https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java#L105) 


So it depends on <Connector secure="true" .../> within the server.xml
If behind a proxy with SSL Offloading, this flag can also be set on a plain 
http connection.


Yup.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to