WebTomcat - HSTS Missing From HTTPS Server (RFC 6797) - Verification
search cancel

WebTomcat - HSTS Missing From HTTPS Server (RFC 6797) - Verification

book

Article ID: 271086

calendar_today

Updated On:

Products

Spectrum Network Observability

Issue/Introduction

Webtomcat (port 9443) is showing that the HSTS is not active with Plugin Output showing the remote HTTPS server does not send the HTTP:

  "Strict-Transport-Security"

In the $SPECROOT/webtomcat/conf/web.xml file, the following is set: 

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>

and 

<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
   <filter-name>httpHeaderSecurity</filter-name>
   <url-pattern>/*</url-pattern>
   <dispatcher>REQUEST</dispatcher>
</filter-mapping>

How can we verify that it's actually working?

Environment

DX NetOps Spectrum all currently supported releases

Resolution

Run:

curl -s -D- https://example.com/ | grep -i Strict

This will show the header in the response. If it is not enabled, it will return nothing.

If it is, it will look like this:

Powered by Wolken Software