我编辑了 web.xml 以启用 HttpHeaderSecurityFilter,添加了一些参数并重新启动了 Tomcat。我没有在响应标头中看到 strict-transport-security。
我已经在 web.xml 中使用相同值的几个 Tomcat 9 安装上执行了相同的步骤,并且它按预期工作。
web.xml 中的相关条目(一些参数是默认的,我知道不需要,但我在尝试解决这个问题时添加了):
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
服务器信息:
Server version: Apache Tomcat/7.0.82
Server built: Sep 29 2017 12:23:15 UTC
Server number: 7.0.82.0
OS Name: Linux
OS Version: 3.10.0-1062.12.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_131-b11
JVM Vendor: Oracle Corporation