You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/04/07 12:39:50 UTC

[Bug 65996] New: HSTS header with Tomcat 9 for 400 Errors

https://bz.apache.org/bugzilla/show_bug.cgi?id=65996

            Bug ID: 65996
           Summary: HSTS header with Tomcat 9 for 400 Errors
           Product: Tomcat 9
           Version: 9.0.30
          Hardware: PC
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Examples
          Assignee: dev@tomcat.apache.org
          Reporter: hblel.dev@gmail.com
  Target Milestone: -----

Created attachment 38241
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38241&action=edit
Notice the missing HSTS headers on both examples

Using a Tomcat v9.0.30, I was able to successfully configure HSTS headers for
all responses (when served over HTTPS) for my Spring-based app using the
built-in Tomcat filter HttpHeaderSecurityFilter
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html

However, I have noticed that the headers were not added for a particular
response with a 400 HttpStatus. Below are some screenshots:

The issue seems to be specific to 400 Errors and particularly when
non-compliant chars to rfc 7230 and rfc 3986 are used: "["

I know that these chars are now rejected by default by Tomcat v9.x.x for
security reasons and that it can be allowed using the relaxedPathChars and
relaxedQueryChars properties, but what about the 400 error response ?

Why is the HSTS header not added in that case and is there a workaround (Add
the headers for the 400 response) ? Is this a bug on Tomcat, if the
HttpHeaderSecurityFilter is supposed to be applied for all responses ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65996] HSTS header with Tomcat 9 for 400 Errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65996

--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
It *could* be done with a Valve, though, I think.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65996] HSTS header with Tomcat 9 for 400 Errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65996

Remy Maucherat <re...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 OS|                            |All
         Resolution|---                         |WONTFIX
           Severity|blocker                     |enhancement

--- Comment #1 from Remy Maucherat <re...@apache.org> ---
Indeed, invalid requests are filtered out and get a 400, and are never actually
passed to the EE application (which has no available mechanism to distinguish
it from a regular request). The Filter is part of the EE application and thus
will never process the request. This cannot be implemented, so resolving as
WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65996] HSTS header with Tomcat 9 for 400 Errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65996

--- Comment #3 from Remy Maucherat <re...@apache.org> ---
(In reply to Christopher Schultz from comment #2)
> It *could* be done with a Valve, though, I think.

Same issue, it is not going to be invoked unless it gets special dedicated
handling like for access logging.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65996] HSTS header with Tomcat 9 for 400 Errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65996

--- Comment #4 from Christopher Schultz <ch...@christopherschultz.net> ---
Another good reason to use a load-balancer/reverse proxy in front of your
Tomcats.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org