APAR status
Closed as program error.
Error description
There are scenarios where the HTTP Dispatcher will set a 404 status and send a response without ever engaging the Web Container/Servlet layer. There are increasing reports made regarding the HTTP Strict Transport Security header not be added in these scenarios.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere * * Application Server version 8.5.5 and 9.0 * **************************************************************** * PROBLEM DESCRIPTION: HTTP Strict-Transport-Security (HSTS) * * header is missing for a 404 response. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a secured request is made to a non-existent application (i.e non-existent context root), a 404 response is returned without the HSTS header even when one has been configured via the WebContainer custom property com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
Problem conclusion
The WebContainer code was changed to include the HSTS header in the response for a secured request to a non-existent application. The current WebContainer custom property is required for this to work: com.ibm.ws.webcontainer.addStrictTransportSecurityHeader The fix for this APAR is targeted for inclusion in fix pack 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH35019
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-03
Closed date
2021-05-18
Last modified date
2021-08-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021