tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Forcing SSL use
Date Mon, 07 Mar 2011 20:06:47 GMT
Olivier Lefevre wrote:
> On 3/7/2011 1:27 PM, Konstantin Kolinko wrote:
>> Why do you forbid HEAD? IMHO it should have the same constraints as
>> GET, because browsers use them together.
> OK. That doesn't answer my question, though.
> But in the meantime I realized that in the access log there are pairs
> of entries with status 302 and then 200 for each of these requests.
> Using the Live HTTP headers plugin confirmed the behaviour: the
> server responds with 302 and the https URL, following which the
> browser retries with that URL.
Slightly off-topic, but maybe of interest about the above :
 From previous experience, I remember that at least several versions of IE, systematically

issue first a HEAD request for any request, and then follow-up with a GET request for the

same resource.
Many robots have a similar behaviour : they will first try HEAD (because they are being 
nice and a HEAD is less costly for the server), and only if the HEAD fails, they try a GET.
So only for efficiency reasons, you may want to allow the HEAD requests.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message