Add HSTS feature to Tomcat

Question

Trust you all well.

My web application run on tomcat 6.0.43 and do not use apache or nginx at front.

I'm already enforce my web from http redirect to https using:

1. URL Redirect at ../webapps/ROOT/index.jsp

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

2. ../webapps/myapp/WEB-INF/web.xml

<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

Where to add such code below

Header add Strict-Transport-Security "max-age=15768000"

OR Is tomcat did not have this feature? Or I need to modify in every my java web app controller.

Answer 1

If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurity filter definition in tomcat/conf/web.xml

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

and add a useful max age param:

<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>

Don't forget to uncomment filter mapping:

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>