I have to add security measures to a website running a Tomcat 6 application server. One of it is adding the HTTP Strict-Transport-Policy Header. I did this by adding a filter which is in turn adding this header to any response. But there is static content served by apache webservers (in front of the application server), I have no access to. So my question is: Do I have to take care for this? Is it necessary to return this header with every served file (.css, .js, etc.)? As far as I understand this header, it tells the browser "Hey, if you read this, access this domain via HTTPS only for the next ".
Does HSTS HTTP Strict-Transport-Security has to be sent with any response file
httphttp-headers
Related Topic
- Reducing Apache request queuing
- Nginx + @font-face + Firefox / IE9
- IIS 7 returns HTTP 200 on custom 404 error page
- Iis – Http header 304 and caching
- Load Balancing with haproxy and http-send-name-header Host
- Reliable way to determine if a URL returns content or an error
- HSTS in Nginx – Should Strict-Transport-Security Header Be Added in Subdomain Server Blocks?
Best Answer
HSTS applies to the entire domain, so setting it in all of your responses should do the trick just fine.