Hello everyone, I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat. I configured HSTS in Tomcat and it works well. When I do a pen-test with burpsuite it complains that HSTS header is missing on 401 responses. I couldn’t find much information about whether HSTS makes sense for error pages.
It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite expects the header. Are there any pros and cons about sending HSTS on 401 response? Thanks in advance! Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
