在tomcat 7中启用http严格传输安全性

时间:2018-03-16 12:39:50

标签: tomcat7 hsts

我正在尝试在我的应用程序中启用hsts。我已经像这样修改了我的web.xml。这是WEB-INF web.xml而不是在tomcat中

的web.xml

    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
    </init-param> 
    <init-param>
    <param-name>maxAgeSeconds</param-name>
   <param-value>31536000</param-value>
   </init-param>
  <init-param>
  <param-name>includeSubDomains</param-name>
  <param-value>true</param-value>
  </init-param>
  <async-supported>true</async-supported>
  <init-param>
      <param-name>antiClickJackingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>DENY</param-value>
    </init-param>
    </filter>
    <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
    </filter-mapping>

我正在使用此测试工具https://tools.geekflare.com检查我的网站网址。但是没有启用任何内容。所有显示交叉标记。但是在上面的配置中,如果我删除了hsts,如果我将其部署在xml下面那么X- XSS-Protection标头,X-Frame-Options标头标头,X-Content-Type-Options标头已启用,但未启用HTTP严格传输安全(HSTS)标头。

    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
      <param-name>antiClickJackingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>DENY</param-value>
    </init-param>
    </filter>
  <filter-mapping> 
  <filter-name>httpHeaderSecurity</filter-name> 
  <url-pattern>/*</url-pattern>
  </filter-mapping>

有人能说出如何启用HTTP严格传输安全(HSTS)标头吗?在tomcat 7?

0 个答案:

没有答案