tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Apache TomCat 5.5
Date Wed, 14 Sep 2016 18:58:03 GMT
> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:marypham@mail.nih.gov] 
> Subject: Apache TomCat 5.5

> We have been using one of the old Apache TomCat on windows server 2008R2, IIS 7.

Firstly, it's Tomcat, not TomCat.

> We need to apply a header directive in Apache "Strict-Transport-Security" so that our
web site 
> would be secured as the Government required.

Your web site is pretty much guaranteed to be _insecure_ as long as you're running that old
- and unsupported - version of Tomcat.  The last Tomcat 5.5 release was nearly four years
ago, and many, many vulnerabilities have been addressed since then.  SSL does not protect
you against those.  You really must upgrade to a supported level (preferably 8.5), after carefully
reading the migration guides:
http://tomcat.apache.org/migration.html

Not doing so makes anything else you try pointless.

> My question is where can I insert this line?

As suggested by Daniel, a filter is your best bet - but upgrade Tomcat first.  Not doing so
leaves you subject to many more liabilities than lack of HSTS.

 - Chuck 


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message