We are trying to setup HSTS for an application served from a Tomcat 9 server installed on Windows Server 2016 without IIS. When I load a page from it the response header, in developer console, does include strict-transport-security: max-age=31536000;includeSubDomains;preload. The issue is when the vulnerability scans are run it returns the error message saying "The remote web server is not enforcing HSTS.". We are also getting a message saying TLSv1.0 is enabled.
I should also note the pages served by Tomcat are accessed using the primary domain name which hits a load balancer, that also serves as a reverse proxy, and passes all requests to Tomcat. We have scanned it using the primary domain assigned to the Load Balancer and by using the Tomcat server name directly without the load balancer and get the same scan results.
I have included what we are adding to the Tomcat server.xml and web.xml files. Any suggestions on what we are doing wrong, or are missing, would be greatly appreciated.
We have included the following in our server.xml file:
<!-- For Redirect from HTTP to HTTPS -->
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"/>
<!-- SSL Connector -->
<Connector
port="443"
scheme="https"
secure="true"
SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
<SSLHostConfig sslProtocol="TLS"
protocols="TLSv1.2+TLSv1.3"
certificateKeystoreFile="G:\keystore\OUR_KEYSTORE_FILE.jks"
certificateKeystorePassword="OUR_KEYSTORE_PASSWORD"
certificateKeystoreType="JKS">
</SSLHostConfig>
</Connector>
We have configured the web.xml file with the following for HSTS and the redirect:
<!-- Enable HSTS -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<!-- Enable HSTS Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- for Redirect from HTTP to HTTPS -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
the thing is if you tried your url with http and that should redirect you to the https where your first request with https will show you in the response header like Non-Authoritative-Reason: HSTS, then you can see the second request would go with https to the same endpoint as you are directing all 80 to 443, there you can see the relevant header.