Trust you all well.
My web application run on tomcat 6.0.43 and do not use apache or nginx at front.
I'm already enforce my web from http redirect to https using:
<% response.sendRedirect("https://www.epi.com.my/portal/"); %>
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint>
Where to add such code below
Header add Strict-Transport-Security "max-age=15768000"
OR Is tomcat did not have this feature? Or I need to modify in every my java web app controller.
If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurity filter definition in tomcat/conf/web.xml
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>
and add a useful max age param:
<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>
Don't forget to uncomment filter mapping:
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With