Add HSTS feature to Tomcat

Question

Trust you all well.

My web application run on tomcat 6.0.43 and do not use apache or nginx at front.

I\'m already enforce my web from http redirect to https usi

Answer 1

If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurity filter definition in tomcat/conf/web.xml

    httpHeaderSecurity
    org.apache.catalina.filters.HttpHeaderSecurityFilter
    true

and add a useful max age param:

    hstsMaxAgeSeconds
    31536000

Don't forget to uncomment filter mapping:

    httpHeaderSecurity
    /*
    REQUEST