You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Devatha Naga Puneeth <dn...@gmail.com> on 2023/01/12 05:51:51 UTC
Is it possible to add hsts header over http response ?
Apache Tomcat Version : 9.0.65
<filter>
<filter-name>sts</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabledForHttp</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>sts</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Used the above configuration in the conf/web.xml to add the hsts header .
It is adding hsts header over only https responses.
Is it possible to add hsts header over http response through tomcat . If
possible could you provide a way to add the hsts header over http 302
responses as well.
Re: Is it possible to add hsts header over http response ?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Shawn,
On 1/12/23 20:48, Shawn Heisey wrote:
> On 1/12/23 01:34, Mark Thomas wrote:
>> On 12/01/2023 08:26, Hiran CHAUDHURI wrote:
>> In that case the Connector would need to be configured with
>> secure="true" to work correctly/securely and the
>> HttpHeaderSecurityFilter would add the HSTS header if configured to do
>> so.
>
> My personal opinion is that the header should be added by whatever is
> handling the TLS.
+1
Only the TLS terminator knows whether or not HSTS is appropriate.
> I don't have Tomcat in my current setups, but the piece handling TLS for
> me is haproxy. In a lot of cases it will be Apache httpd. My haproxy
> frontend config has this:
>
> http-after-response set-header Strict-Transport-Security
> "max-age=16000000; includeSubDomains; preload;"
For Apache httpd, it's:
Header always set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload;"
The max-age is up to you, as are the other parameters.
CORS is a whole other matter in httpd. I feel like I spend forever
getting that to work as hoped.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is it possible to add hsts header over http response ?
Posted by Shawn Heisey <ap...@elyograg.org>.
On 1/12/23 01:34, Mark Thomas wrote:
> On 12/01/2023 08:26, Hiran CHAUDHURI wrote:
> In that case the Connector would need to be configured with
> secure="true" to work correctly/securely and the
> HttpHeaderSecurityFilter would add the HSTS header if configured to do so.
My personal opinion is that the header should be added by whatever is
handling the TLS.
I don't have Tomcat in my current setups, but the piece handling TLS for
me is haproxy. In a lot of cases it will be Apache httpd. My haproxy
frontend config has this:
http-after-response set-header Strict-Transport-Security
"max-age=16000000; includeSubDomains; preload;"
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is it possible to add hsts header over http response ?
Posted by Mark Thomas <ma...@apache.org>.
On 12/01/2023 08:26, Hiran CHAUDHURI wrote:
> CONFIDENTIAL & RESTRICTED
>
> Would/should this also cover cases where Tomcat is working on http or ajp although the connection is considered secure as SSL is offloaded to httpd or some other reverse proxy?
In that case the Connector would need to be configured with
secure="true" to work correctly/securely and the
HttpHeaderSecurityFilter would add the HSTS header if configured to do so.
Mark
>
> -----Original Message-----
> From: Thomas Hoffmann (Speed4Trade GmbH) <Th...@speed4trade.com.INVALID>
> Sent: Thursday, January 12, 2023 8:24
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: AW: Is it possible to add hsts header over http response ?
>
> Hello,
>
> HSTS only works via https. I think its not specified for HTTP and shouldn’t be used for this protocol.
> So everything works as the specification defines.
> You should not violate the specification and browsers won't care about this header in http anyway.
>
> Greetings,
> Thomas
> Т ХF V 7V'67& &R �R � â W6W'2 V 7V'67& &T F 6�B ���6 R &pФf "��FF F � �6 � G2 �R � â W6W'2ֆV � F 6�B ���6 R &pР
> IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Is it possible to add hsts header over http response ?
Posted by Hiran CHAUDHURI <hi...@amadeus.com.INVALID>.
CONFIDENTIAL & RESTRICTED
Would/should this also cover cases where Tomcat is working on http or ajp although the connection is considered secure as SSL is offloaded to httpd or some other reverse proxy?
-----Original Message-----
From: Thomas Hoffmann (Speed4Trade GmbH) <Th...@speed4trade.com.INVALID>
Sent: Thursday, January 12, 2023 8:24
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: AW: Is it possible to add hsts header over http response ?
Hello,
HSTS only works via https. I think its not specified for HTTP and shouldn’t be used for this protocol.
So everything works as the specification defines.
You should not violate the specification and browsers won't care about this header in http anyway.
Greetings,
Thomas
Т ХF V 7V'67& &R �R � â W6W'2 V 7V'67& &T F 6�B ���6 R &pФf "��FF F � �6 � G2 �R � â W6W'2ֆV � F 6�B ���6 R &pР
IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany.
AW: Is it possible to add hsts header over http response ?
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
> -----Ursprüngliche Nachricht-----
> Von: Devatha Naga Puneeth <dn...@gmail.com>
> Gesendet: Donnerstag, 12. Januar 2023 06:52
> An: users@tomcat.apache.org
> Betreff: Is it possible to add hsts header over http response ?
>
> Apache Tomcat Version : 9.0.65
>
> <filter>
> <filter-name>sts</filter-name>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
> <async-supported>true</async-supported>
> <init-param>
> <param-name>hstsEnabledForHttp</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>hstsMaxAgeSeconds</param-name>
> <param-value>31536000</param-value>
> </init-param>
> <init-param>
> <param-name>hstsIncludeSubDomains</param-name>
> <param-value>true</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>sts</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> Used the above configuration in the conf/web.xml to add the hsts header .
> It is adding hsts header over only https responses.
>
> Is it possible to add hsts header over http response through tomcat . If possible
> could you provide a way to add the hsts header over http 302 responses as well.
HSTS only works via https. I think its not specified for HTTP and shouldn’t be used for this protocol.
So everything works as the specification defines.
You should not violate the specification and browsers won't care about this header in http anyway.
Greetings,
Thomas