tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harrie Robins" <har...@eyequestion.nl>
Subject RE: HSTS missing from HTTPS server on tomcat 8.0.27
Date Mon, 08 Feb 2016 15:21:38 GMT
Hello!

Missing HSTS is not a vulnerability, as Mark pointed out, it is a feature.
In your web.xml

  <filter>
        <filter-name>httpHeaderSecurity</filter-name>
 
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-c
lass>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

This will NOT activate HSTS for your application, you will need to add this
mapping as well (edit to needs and add to application):

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

Regards,

Harrie

-----Original Message-----
From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in] 
Sent: maandag 8 februari 2016 15:50
To: 'Tomcat Users List' <users@tomcat.apache.org>
Subject: HSTS missing from HTTPS server on tomcat 8.0.27

Hi,

We are unable to fix the vulnerability of "HSTS missing from HTTPS server" 
on apache tomcat  8.0.27 while running on unix operating system. Below is
the system configuration:

 OS Name:               HP-UX
 OS Version:            B.11.31
 Architecture:           IA64N
Java Home:            /opt/java8/jre
JVM Version:          1.8.0.04-hp-ux-b2
JVM Vendor:           Hewlett-Packard Company

We have uncommented the httpHeaderSecurity in the filter tag of conf/web.xml
file, but still the vulnerability exists. We have also tried with apache
tomcat 8.0.30, but in vain.


Any help to fix this vulnerability is appreciated.

Thanks & Regards
Deepak Kumar
"Disclaimer and confidentiality clause -  This message and any attachments
relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is
proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to
legal privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original
sender immediately and destroy the message and copies thereof and any
attachments contained in it .
 If you are not the intended recipient of this message, you are hereby
notified that you must not disseminate, copy, use, distribute, or take any
action in connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been
maintained nor that it is free of errors, viruses, interception and/or
interference. 
CCIL is not liable whatsoever for loss or damage resulting from the opening
of this message and/or attachments and/or the use of the information
contained in this message and/or attachments."


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message