On 31/08/2022 15:36, Yanhua Wusands wrote:
We are using TOMCAT 9.0.40 on linux, and are trying setup
Strict-Transport-Security per requirement from our security team.
We followed this note:
https://knowledge.broadcom.com/external/article/226769/enable-http-strict-transport-security-hs.html
Changed $CATALINA_HOME/conf/web.xml
With:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31556927</param-value>
</init-param>
</filter>
And uncommented:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
After we restarted TOMCAT APACHE, we still couldn't see
Strict-Transport-Security using following curl cmd:
curl -i -s
https://finerp-apps-dev02.test.advanceauto.cloud/ords/apex_ext/r/advance-supplier-portal/home|
grep -i Strict-Transport-Security
I am reaching out to see if there is any additional steps need to be done for
setting up this security flag.
Please provide the Connector element(s) (with sensitive data like
passwords masked) from your $CATALINA_BASE/conf/server.xml file.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org