You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pattavee Sanchol <pa...@thaidigitalid.com> on 2019/12/26 10:22:29 UTC
HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Dear support team
I config tomcat server to enabled HSTS some request URI path not response
with Secure heading
The configuration illustrated below
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
I some request URI such as http://192.168.1.1/%20 is not response with
security hedering
this is working
[image: image.png]
this not working
[image: image.png]
Please suggest me to solve this problem.
Thank you.
Regards.
*ปฐวี สรรค์ชลPattavee SANCHOL*
* <http://www.thaidigitalid.com> *
*Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>*
319, 25th Floor, Room 10-11, Chamchuri Square Building,
Phayathai Road, Phathum Wan, Bangkok
Thailand 10330
Tel : +66-029-0290 ext. 3317
E-mail : pattavee.san@thaidigitalid.com
--
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Pattavee Sanchol <pa...@thaidigitalid.com>.
Dear Olaf
Thank you so much for your reply.
*problem: You're trying to deliver the HSTS header for some, but not allof
the requests coming in(?) (Otherwise, please correct) *
- > No. I want to respond HSTS header in all request but after I follow
configuration below it not response HSTS header on some request
such as http://192.168.1.1/%20 or http://192.168.1.1/%3e I think url
pattern /* is not apply to request with special characters on path.
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Regards.
*ปฐวี สรรค์ชลPattavee SANCHOL*
* <http://www.thaidigitalid.com> *
*Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>*
319, 25th Floor, Room 10-11, Chamchuri Square Building,
Phayathai Road, Phathum Wan, Bangkok
Thailand 10330
Tel : +66-029-0290 ext. 3317
E-mail : pattavee.san@thaidigitalid.com
On Thu, Dec 26, 2019 at 6:11 PM Olaf Kock <to...@olafkock.de> wrote:
>
> On 26.12.19 11:22, Pattavee Sanchol wrote:
> > Dear support team
> >
> > I config tomcat server to enabled HSTS some request URI path not
> > response with Secure heading
> >
> > ...
> >
> >
> > I some request URI such as http://192.168.1.1/%20 is not response with
> > security hedering
> >
> >
> > this is working
> >
> >
> > image.png
> > this not working
> > image.png
> >
> Note: Images are stripped from the list, but I hope that I get the
> problem: You're trying to deliver the HSTS header for some, but not all
> of the requests coming in(?) (Otherwise, please correct)
>
> I believe that this is chasing a ghost: It's a lot of work to make it
> happen, but doesn't have any meaningful advantage: If *any* request
> states that the server *only* wants to see HTTPS traffic, it doesn't
> matter if *more* requests also state the same: The server will need to
> provide proper answers to any HTTPS connection. You're basically asking
> everybody who ever saw the HSTS header during the last 31536000 seconds
> (your configuration) to rewrite a http-URL to a https-URL.
>
> Thus, I'd recommend to just not worry about any specific conditions to
> apply for those headers. Just send them - they don't harm, or make any
> difference. Or give us some more specific reasons that I might have missed.
>
> Olaf
>
>
--
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Olaf Kock <to...@olafkock.de>.
On 26.12.19 11:22, Pattavee Sanchol wrote:
> Dear support team
>
> I config tomcat server to enabled HSTS some request URI path not
> response with Secure heading
>
> ...
>
>
> I some request URI such as http://192.168.1.1/%20 is not response with
> security hedering
>
>
> this is working
>
>
> image.png
> this not working
> image.png
>
Note: Images are stripped from the list, but I hope that I get the
problem: You're trying to deliver the HSTS header for some, but not all
of the requests coming in(?) (Otherwise, please correct)
I believe that this is chasing a ghost: It's a lot of work to make it
happen, but doesn't have any meaningful advantage: If *any* request
states that the server *only* wants to see HTTPS traffic, it doesn't
matter if *more* requests also state the same: The server will need to
provide proper answers to any HTTPS connection. You're basically asking
everybody who ever saw the HSTS header during the last 31536000 seconds
(your configuration) to rewrite a http-URL to a https-URL.
Thus, I'd recommend to just not worry about any specific conditions to
apply for those headers. Just send them - they don't harm, or make any
difference. Or give us some more specific reasons that I might have missed.
Olaf
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Pattavee Sanchol <pa...@thaidigitalid.com>.
Dear Chris,
Thank you so much for your suggestion.
Now I can solve this problem, cause is the request url path with special
characters were handled by web application framework.
But my application framework's configuration not apply for special
characters in url. So it return default page without HSTS header.
I setting new config for handle its then working for this problem.
Regards.
*ปฐวี สรรค์ชลPattavee SANCHOL*
* <http://www.thaidigitalid.com> *
*Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>*
319, 25th Floor, Room 10-11, Chamchuri Square Building,
Phayathai Road, Phathum Wan, Bangkok
Thailand 10330
Tel : +66-029-0290 ext. 3317
E-mail : pattavee.san@thaidigitalid.com
On Thu, Jan 2, 2020 at 10:49 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Pattavee,
>
> On 1/1/20 22:55, Pattavee Sanchol wrote:
> > Dear Chris,
> >
> > I follow your suggestion, change my app to ROOT but request with
> > special characters on url path still response with no HSTS header.
> > detail on e.g. below
> >
> >
> > [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443"
> >
> > HTTP/1.1 200
> >
> > Strict-Transport-Security: max-age=31536000;includeSubDomains
> >
> > X-Frame-Options: SAMEORIGIN
> >
> > X-Content-Type-Options: nosniff
> >
> > X-XSS-Protection: 1; mode=block
> >
> > Set-Cookie:
> > JSESSIONID=11B6A6F834606B167C2281DB1381BBC2;path=/;Secure;HttpOnly
> >
> > Content-Type: text/html;charset=UTF-8
> >
> > Transfer-Encoding: chunked
> >
> > Date: Thu, 02 Jan 2020 03:46:13 GMT
> >
> >
> >
> >
> > [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443/%20"
> >
> > HTTP/1.1 200
> >
> > Set-Cookie:
> > JSESSIONID=DC2234708B03D66FFC6D30178F083145;path=/;Secure;HttpOnly
> >
> > Content-Type: text/html;charset=UTF-8
> >
> > Transfer-Encoding: chunked
> >
> > Date: Thu, 02 Jan 2020 03:47:54 GMT
> >
> > Regards.
>
> Can you please package-up a WAR file with the above configuration,
> name it ROOT.war, deploy it into a fresh Tomcat server and re-test
> with 8.5.50? If it fails, please post the WAR file somewhere I can
> fetch it and test it myself.
>
> You do not need any additional files except maybe an index.html file
> to avoid 404 responses.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4OEOgACgkQHPApP6U8
> pFgZCRAAxJHr5NHqabbOF1gtEuGKiuF0ZBI3tIF3NXbxv3UhV+sa8xd1XImGVbeU
> +t21EcmFYY2DEoq42H3NK9QBgHnKALypFaZRFxrVakwfQcRQE9zrkKMYPFmt7rfx
> ms5wqpCqSYKdn13Ud6vP9c6vfaHJcDQAoAUUrS6Y7c/Otsvtx02bRppz2RClx5+w
> xnnKzQrUDOFYbpE6Pjw8W09S5UrLFujdPrFS/x+a9mLPa0ve+mT5v1hVTxsaw+Eu
> oj8mJyIG6ySztP8L2ie6ghLi5aa4j9oSvCIqmLmKbVmMqClj2N70pJV6XDFxKYw3
> 0Iz8a/7oU7u04giG3I1/VpdKoUlOUBurDjVi2JrjkCCvUp4NS6EM8VOB5EEvcVet
> qZ6vfEShq5q+o6UWBScQKItSvl61N6aUESMiY9ice6qwAvsJaalDeCZHY1QzHsBY
> BCCzZX28fMSfaDlE1FPOiFBpMeBiBTSkonjS5D+nj5VF5tLjSus9TBN3/Jr1X1nD
> hTJOHZGW1HI9YxDQXt/Sx/hvL+IwRhjr61eRaW6c5fWiDPVSYl60FuHAC4oN0Prq
> 1ws687Aw8OL+U2lOz0GfbfYZC0o3dKUOxUkeaQ/gBBEBiwYmjr7vSWgW9xC9mFkY
> kukuW01axNc8/Ma4qKIZ563dW78BY5bfWUETBsgr3viQZUjRp+E=
> =4nX+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pattavee,
On 1/1/20 22:55, Pattavee Sanchol wrote:
> Dear Chris,
>
> I follow your suggestion, change my app to ROOT but request with
> special characters on url path still response with no HSTS header.
> detail on e.g. below
>
>
> [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443"
>
> HTTP/1.1 200
>
> Strict-Transport-Security: max-age=31536000;includeSubDomains
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> X-XSS-Protection: 1; mode=block
>
> Set-Cookie:
> JSESSIONID=11B6A6F834606B167C2281DB1381BBC2;path=/;Secure;HttpOnly
>
> Content-Type: text/html;charset=UTF-8
>
> Transfer-Encoding: chunked
>
> Date: Thu, 02 Jan 2020 03:46:13 GMT
>
>
>
>
> [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443/%20"
>
> HTTP/1.1 200
>
> Set-Cookie:
> JSESSIONID=DC2234708B03D66FFC6D30178F083145;path=/;Secure;HttpOnly
>
> Content-Type: text/html;charset=UTF-8
>
> Transfer-Encoding: chunked
>
> Date: Thu, 02 Jan 2020 03:47:54 GMT
>
> Regards.
Can you please package-up a WAR file with the above configuration,
name it ROOT.war, deploy it into a fresh Tomcat server and re-test
with 8.5.50? If it fails, please post the WAR file somewhere I can
fetch it and test it myself.
You do not need any additional files except maybe an index.html file
to avoid 404 responses.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4OEOgACgkQHPApP6U8
pFgZCRAAxJHr5NHqabbOF1gtEuGKiuF0ZBI3tIF3NXbxv3UhV+sa8xd1XImGVbeU
+t21EcmFYY2DEoq42H3NK9QBgHnKALypFaZRFxrVakwfQcRQE9zrkKMYPFmt7rfx
ms5wqpCqSYKdn13Ud6vP9c6vfaHJcDQAoAUUrS6Y7c/Otsvtx02bRppz2RClx5+w
xnnKzQrUDOFYbpE6Pjw8W09S5UrLFujdPrFS/x+a9mLPa0ve+mT5v1hVTxsaw+Eu
oj8mJyIG6ySztP8L2ie6ghLi5aa4j9oSvCIqmLmKbVmMqClj2N70pJV6XDFxKYw3
0Iz8a/7oU7u04giG3I1/VpdKoUlOUBurDjVi2JrjkCCvUp4NS6EM8VOB5EEvcVet
qZ6vfEShq5q+o6UWBScQKItSvl61N6aUESMiY9ice6qwAvsJaalDeCZHY1QzHsBY
BCCzZX28fMSfaDlE1FPOiFBpMeBiBTSkonjS5D+nj5VF5tLjSus9TBN3/Jr1X1nD
hTJOHZGW1HI9YxDQXt/Sx/hvL+IwRhjr61eRaW6c5fWiDPVSYl60FuHAC4oN0Prq
1ws687Aw8OL+U2lOz0GfbfYZC0o3dKUOxUkeaQ/gBBEBiwYmjr7vSWgW9xC9mFkY
kukuW01axNc8/Ma4qKIZ563dW78BY5bfWUETBsgr3viQZUjRp+E=
=4nX+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Pattavee Sanchol <pa...@thaidigitalid.com>.
Dear Chris,
I follow your suggestion, change my app to ROOT but request with special
characters on url path still response with no HSTS header.
detail on e.g. below
[sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443"
HTTP/1.1 200
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie:
JSESSIONID=11B6A6F834606B167C2281DB1381BBC2;path=/;Secure;HttpOnly
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 02 Jan 2020 03:46:13 GMT
[sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443/%20"
HTTP/1.1 200
Set-Cookie:
JSESSIONID=DC2234708B03D66FFC6D30178F083145;path=/;Secure;HttpOnly
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 02 Jan 2020 03:47:54 GMT
Regards.
*ปฐวี สรรค์ชลPattavee SANCHOL*
* <http://www.thaidigitalid.com> *
*Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>*
319, 25th Floor, Room 10-11, Chamchuri Square Building,
Phayathai Road, Phathum Wan, Bangkok
Thailand 10330
Tel : +66-029-0290 ext. 3317
E-mail : pattavee.san@thaidigitalid.com
On Fri, Dec 27, 2019 at 10:47 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Pattavee,
>
> On 12/26/19 05:22, Pattavee Sanchol wrote:
> > Dear support team
> >
> > I config tomcat server to enabled HSTS some request URI path not
> > response with Secure heading
> >
> > The configuration illustrated below
> >
> > <filter>
> >
> > <filter-name>httpHeaderSecurity</filter-name>
> >
> >
> > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
> >
> > <async-supported>true</async-supported>
> >
> > <init-param>
> >
> > <param-name>hstsEnabled</param-name>
> >
> > <param-value>true</param-value>
> >
> > </init-param>
> >
> > <init-param>
> >
> > <param-name>hstsIncludeSubDomains</param-name>
> >
> > <param-value>true</param-value>
> >
> > </init-param>
> >
> > <init-param>
> >
> > <param-name>hstsMaxAgeSeconds</param-name>
> >
> > <param-value>31536000</param-value>
> >
> > </init-param>
> >
> > <init-param>
> >
> > <param-name>antiClickJackingEnabled</param-name>
> >
> > <param-value>true</param-value>
> >
> > </init-param>
> >
> > <init-param>
> >
> > <param-name>antiClickJackingOption</param-name>
> >
> > <param-value>SAMEORIGIN</param-value>
> >
> > </init-param>
> >
> > </filter>
> >
> >
> > <filter-mapping>
> >
> > <filter-name>httpHeaderSecurity</filter-name>
> >
> > <url-pattern>/*</url-pattern>
> >
> > <dispatcher>REQUEST</dispatcher>
> >
> > </filter-mapping>
> >
> >
> > I some request URI such as http://192.168.1.1/%20 is not response
> > with security hedering
> >
> >
> > this is working
> >
> >
> > image.png this not working image.png Please suggest me to solve
> > this problem.
>
> You configured this filter in your web application, right? I'm
> guessing this is not the root application, but instead something like
> /myapp ?
>
> If that's the case, then requesting http://192.168.1.1/%20 will map to
> the ROOT web application which doesn't have HSTS configured.
>
> You will need to add this <filter> to the ROOT web application, which
> is usually found in CATALINA_BASE/webapps/ROOT. You may have
> specifically configured it to be somewhere else, though.
>
> Our applications at $work are also deployed as /myapp but our build
> process always generates a "dummy" ROOT application that handles
> things like 404 responses to things that don't start with /myapp.
> Consider doing the same with your build: build your myapp.war (or
> whatever) and then also build a ROOT.war (or similar) which contains
> the minimal configuration you need to accomplish your goals, such as
> the HSTS response headers, and maybe a catch-all error handler that
> redirects people to /myapp or something similar.
>
> As for HSTS being served from Tomcat... you might consider doing that
> at the reverse-proxy level. My experience has been that having a
> single Tomcat isn't enough for a production-quality deployment for
> both fail-over and maintenance purposes. It's always a good idea to
> have a load-balancer even if you don't have so much load that a single
> server can handle it.
>
> If you have a lb/reverse-proxy, then HSTS is best handled there
> because it's usually easier to apply it to the whole site.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJ38ACgkQHPApP6U8
> pFjZHg//TBEc6qs0vxQJMiscnxt0a+Fhwf0QPQcwTyO7WqnvmQk+pHhUEBbsyjPb
> +Bj6fV4Qx9fX2HGBvrMKO6bGBXEGsjowUJr72OrQXjx1xsgfEIlzF8aSEG+DQWtF
> XaswAcMA0LTncAYxZHM7rXItwLjH9JzD1Tc6wAkBZifPXuxw8iTUssBvGfT5WrcY
> BSI2oOQ4uW7q1HYA81pm/jJMi0kbk6MhQk3ENagB24/BCDCXr/bEBOKGdVLGvFKH
> c8etGdg2T7MJuEs232ug9tnu5balMzpDSoeqnrhnX84hnpHfZ87IDXVnvagkv3MB
> fkL0+VwQhP1mHF9d/EMMO5OZHLoalTrcDOXJs6sHldlywkS0pqhb8ucV0vxKISmD
> ox1TT3RqzFM200+ssc7o0dt7xWaX4HfQ8+/kpdLhjpq9+BNJhZ/hrxH13hlGQDNF
> INLZyHuJvahQiS4i/7qKlIrra2CDHfFpfPYGJkpWDgCWvrpTItpKUr5aH9x5CX/L
> zlmeIsYqD/Z4cl7N8H1Cf7Pmw6t24ihtozveyxJMm5Kix2VCo3akkEVdfNxRnUCI
> 2MDzKPqE1j7myWUXiSM4gK83z4RdUzXPagBlLrqhJH6LFrHfAdgOdnIQoKTzo7SE
> GQbifq2pq5T6M5TWwlOl/ZtkL/UzYWmsGf2e/lEgoJjvw66wFVo=
> =Uk5h
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pattavee,
On 12/26/19 05:22, Pattavee Sanchol wrote:
> Dear support team
>
> I config tomcat server to enabled HSTS some request URI path not
> response with Secure heading
>
> The configuration illustrated below
>
> <filter>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
lter-class>
>
> <async-supported>true</async-supported>
>
> <init-param>
>
> <param-name>hstsEnabled</param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>hstsIncludeSubDomains</param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>hstsMaxAgeSeconds</param-name>
>
> <param-value>31536000</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>antiClickJackingEnabled</param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>antiClickJackingOption</param-name>
>
> <param-value>SAMEORIGIN</param-value>
>
> </init-param>
>
> </filter>
>
>
> <filter-mapping>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
> <url-pattern>/*</url-pattern>
>
> <dispatcher>REQUEST</dispatcher>
>
> </filter-mapping>
>
>
> I some request URI such as http://192.168.1.1/%20 is not response
> with security hedering
>
>
> this is working
>
>
> image.png this not working image.png Please suggest me to solve
> this problem.
You configured this filter in your web application, right? I'm
guessing this is not the root application, but instead something like
/myapp ?
If that's the case, then requesting http://192.168.1.1/%20 will map to
the ROOT web application which doesn't have HSTS configured.
You will need to add this <filter> to the ROOT web application, which
is usually found in CATALINA_BASE/webapps/ROOT. You may have
specifically configured it to be somewhere else, though.
Our applications at $work are also deployed as /myapp but our build
process always generates a "dummy" ROOT application that handles
things like 404 responses to things that don't start with /myapp.
Consider doing the same with your build: build your myapp.war (or
whatever) and then also build a ROOT.war (or similar) which contains
the minimal configuration you need to accomplish your goals, such as
the HSTS response headers, and maybe a catch-all error handler that
redirects people to /myapp or something similar.
As for HSTS being served from Tomcat... you might consider doing that
at the reverse-proxy level. My experience has been that having a
single Tomcat isn't enough for a production-quality deployment for
both fail-over and maintenance purposes. It's always a good idea to
have a load-balancer even if you don't have so much load that a single
server can handle it.
If you have a lb/reverse-proxy, then HSTS is best handled there
because it's usually easier to apply it to the whole site.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJ38ACgkQHPApP6U8
pFjZHg//TBEc6qs0vxQJMiscnxt0a+Fhwf0QPQcwTyO7WqnvmQk+pHhUEBbsyjPb
+Bj6fV4Qx9fX2HGBvrMKO6bGBXEGsjowUJr72OrQXjx1xsgfEIlzF8aSEG+DQWtF
XaswAcMA0LTncAYxZHM7rXItwLjH9JzD1Tc6wAkBZifPXuxw8iTUssBvGfT5WrcY
BSI2oOQ4uW7q1HYA81pm/jJMi0kbk6MhQk3ENagB24/BCDCXr/bEBOKGdVLGvFKH
c8etGdg2T7MJuEs232ug9tnu5balMzpDSoeqnrhnX84hnpHfZ87IDXVnvagkv3MB
fkL0+VwQhP1mHF9d/EMMO5OZHLoalTrcDOXJs6sHldlywkS0pqhb8ucV0vxKISmD
ox1TT3RqzFM200+ssc7o0dt7xWaX4HfQ8+/kpdLhjpq9+BNJhZ/hrxH13hlGQDNF
INLZyHuJvahQiS4i/7qKlIrra2CDHfFpfPYGJkpWDgCWvrpTItpKUr5aH9x5CX/L
zlmeIsYqD/Z4cl7N8H1Cf7Pmw6t24ihtozveyxJMm5Kix2VCo3akkEVdfNxRnUCI
2MDzKPqE1j7myWUXiSM4gK83z4RdUzXPagBlLrqhJH6LFrHfAdgOdnIQoKTzo7SE
GQbifq2pq5T6M5TWwlOl/ZtkL/UzYWmsGf2e/lEgoJjvw66wFVo=
=Uk5h
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org