# 遺漏或不安全的 HTTP Strict-Transport-Security 標頭 tomcat8 之後, 可以直接在conf/web.xml加上 ```\ <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class> org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> ``` [參考網站](http://support.ptc.com/help/thingworx_hc/thingworx_8_hc/zh_TW/index.html#page/ThingWorx/Help/Composer/Security/enabling_hsts_in_apache_tomcat.html) ###### tags: 弱點掃瞄