HSTS header not shown when scanning Spectrum WebTomcat
Article ID: 403557
Updated On:
Products
Issue/Introduction
Vulnerability scan on WebTomcat shows HSTS headers are missing. This is despite HSTS being configured in $SPECROOT/webtomcat/conf/web.xml
Environment
DX NetOps Spectrum 24.3.3 or later
Cause
The issue here is that when this url : https://server-name:9443/ is run, it does not go to any of our deployed applications and returns a default server specific 404 error page and it is this default server specific page that does not have any HSTS headers added and this is expected.
HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 431
Date: Thu, 08 May 2025 00:51:20 GMT
Connection: close
But, as shown below, we can see that when we launch https://server-name:9443/, it results in the 404 error but has the required HSTS headers in the response headers from the application.
However, If you have a ROOT folder under webapps, then it goes to the ROOT folder to read/know the default web-application to connect to and with this approach it applies the HTTPHeaderSecurityFilter we defined in the $SPECROOT/webtomcat/conf/web.xml file. As a result, it adds the defined HSTS headers in that web.xml file.
This is due to missing an empty ROOT folder under the $SPECROOT/webtomcat/webapps directory.
Resolution
To resolve this, do the following:
- Stop the WebTomcat service.
- Create an empty ROOT folder under
$SPECROOT/webtomcat/webappsdirectory: - Start the WebTomcat service.
- Scan for the vulnerability.
Feedback
