0

Have modified the TOMCAT/conf/web.xml file to set up HSTS in the tomcat application server.

<!-- Enable HSTS   -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
 <init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
            <param-name>antiClickJackingUri</param-name>
            <param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
    </init-param>
<async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter  -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

This works fine on one server. But on another server, I could not see the Strict Header information. Even in the web browser, I could not see the Strict header. In the working setup, a self-signed certificate is employed. In Production, a third-party certificate is used. Will third-party certificates cause any issues with HSTS?
How do I debug this issue further?

Thank you in advance.

user1631072
  • 51
  • 2
  • 9
  • Can you elaborate on how you test if the HSTS header is present? – Marek Puchalski Nov 02 '21 at 13:52
  • Thank you. In the web browser, open developer tools, network tab, check the headers information. Strict header information was present for the working server. But non working server, I do not see the Strict header information. – user1631072 Nov 03 '21 at 01:23

0 Answers0