001package com.bluelotussoftware.tomcat.security.valves; 002 003import java.io.IOException; 004import javax.servlet.ServletException; 005import org.apache.catalina.Valve; 006import org.apache.catalina.connector.Request; 007import org.apache.catalina.connector.Response; 008import org.apache.catalina.valves.ValveBase; 009 010/** 011 * <p> 012 * This {@link Valve} is designed to add an {@literal Strict-Transport-Security: max-age=2592000; includeSubDomains} 013 * header to the {@link Response} object. The max-age value represents 30 days.</p> 014 * <p> 015 * This is configured in the {@literal context.xml}, or {@literal server.xml} file using the following syntax:</p> 016 * <pre> 017 * <valve> 018 * <class-name>com.bluelotussoftware.tomcat.security.valves.StrictTransportSecurityValve</class-name> 019 * </valve> 020 * </pre> 021 * 022 * @author Oliver Kohll 023 * @author John Yeary 024 * @version 1.0.1 025 */ 026public class StrictTransportSecurityValve extends ValveBase { 027 028 /** 029 * Set the default max age to 30 days in seconds. 030 */ 031 private static final long DEFAULT_MAX_AGE = 2592000; 032 033 /** 034 * {@inheritDoc} 035 * <p> 036 * Adds {@literal Strict-Transport-Security: max-age=2592000; includeSubDomains} header to the {@link Response} 037 * object.</p> 038 */ 039 @Override 040 public void invoke(Request request, Response response) throws IOException, ServletException { 041 response.addHeader("Strict-Transport-Security", "max-age="+ DEFAULT_MAX_AGE +"; includeSubDomains"); 042 getNext().invoke(request, response); 043 } 044 045}