IBM Support

PH35019: Add HSTS header for a 404 response.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • There are scenarios where the HTTP Dispatcher will set a 404
    status and send a response without ever engaging the Web
    Container/Servlet layer. There are increasing reports made
    regarding the HTTP Strict Transport Security header not be
    added in these scenarios.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere                  *
    *                  Application Server version 8.5.5 and 9.0    *
    ****************************************************************
    * PROBLEM DESCRIPTION: HTTP Strict-Transport-Security (HSTS)   *
    *                      header is missing for a 404 response.   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When a secured request is made to a non-existent application
    (i.e non-existent context root), a 404 response is returned
    without the HSTS header even when one has been configured via
    the WebContainer custom property
    com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
    

Problem conclusion

  • The WebContainer code was changed to include the HSTS header
    in the response for a secured request to a non-existent
    application.  The current WebContainer custom property is
    required for this to work:
    
    com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8.
    For more information, see 'Recommended Updates for
    WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH35019

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-03

  • Closed date

    2021-05-18

  • Last modified date

    2021-08-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
13 August 2021