Here is the output from a powershell command: Invoke-WebRequest -Uri https://ldvwa00a0010.wellsfargo.com:8443 -MaximumRedirection 0 | Select-Object -ExpandProperty Headers
Key Value --- ----- X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN X-XSS-Protection 1 Set-Cookie JSESSIONID=E60F2DA9B666966565C8076FE5C47226.wfig1; Path=/; Secure; HttpOnly,COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:39:55 GMT; Path=/; Secure; HttpOnly,GU... Location https://ldvwa00a0010.wellsfargo.com:8443/c/portal/license Content-Length 0 Date Fri, 21 Apr 2023 20:57:47 GMT Keep-Alive timeout=60 Connection keep-alive Here is curl curl -ikl --verbose https://HOST:8443 > op.txt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying IP:8443... * TCP_NODELAY set * Connected to HOST (IP) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.3 (IN), TLS handshake, Server hello (2): { [85 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [3806 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; O=; OU=; CN= * start date: Aug 10 16:35:12 2022 GMT * expire date: Aug 9 16:35:12 2024 GMT * issuer: C=US; O=; OU=; CN= * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0} [5 bytes data] > GET / HTTP/1.1 > Host: HOST:8443 > User-Agent: curl/7.65.3 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 302 < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1 < Set-Cookie: JSESSIONID=CB5FFB977D92D0CB953AE651014CD048.wfig1; Path=/; Secure; HttpOnly < Set-Cookie: COOKIE_SUPPORT=true; Expires=Tue, 03 Dec 2069 23:42:52 GMT; Path=/; Secure; HttpOnly < Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Tue, 03 Dec 2069 23:42:52 GMT; Path=/; Secure; HttpOnly < Location: https://HOST:8443/c/portal/license < Content-Length: 0 < Date: Fri, 21 Apr 2023 21:00:44 GMT < 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 * Connection #0 to host left intact Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Friday, April 21, 2023 1:17 PM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > Jon, > > On 4/21/23 11:47, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Thank you Olaf, however, the connection was made over https directly > > to Tomcat on port 8443. > Sample curl with secrets removed? > > -chris > > >> -----Original Message----- > >> From: Olaf Kock <tom...@olafkock.de> > >> Sent: Friday, April 21, 2023 1:48 AM > >> To: users@tomcat.apache.org > >> Subject: Re: OT: hsts in Tomcat 9.0.73 > >> > >> > >> Am 21.04.23 um 07:03 schrieb jonmcalexan...@wellsfargo.com.INVALID: > >>> No, there is no error and no stack trace. Everything works, just the > >>> hsts > >> header isn't in the list of headers. > >>> > >> The lowest hanging fruit: HSTS is only defined on https - on http it > >> doesn't have any meaning and Tomcat would be correct in not sending > >> it (I haven't looked at the source if it does, but it should be easy > >> to test) > >> > >> If you have a reverse proxy handling https & proxying through http, > >> Tomcat might not know that it'd be fine to send the header. (If that > >> is your case, there is the brute force "secure" attribute on the > >> connector > >> - use it only when there's no way to connect through http from > >> anywhere but your reverse proxy) > >> > >> This has bitten me a few times > >> > >> Olaf > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
