Missing HSTS header in checkmarx report

Question

I am using Checkmarx to analyse my project, and the only remaining medium severity item is Missing_HSTS_Filter, with the Destination name being HSTSFilter. In my web.xml, I have :

<filter>
    <filter-name>HSTSFilter</filter-name> <!-- checkmarx says problem is here -->
    <filter-class>c.h.i.c.web.security.HSTSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The HSTSFilter class :

public class HSTSFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");
        chain.doFilter(req, resp);
    }
}

So I tried something else and because I am using Tomcat 7, I tried adding the following instead in web.xml :

<filter> <!-- checkmarx now complains here -->
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31622400</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Checkmarx still complains, saying the Destination name this time was StatementCollection. I don't understand what that means.

What am I missing ?

Answer 1

Strange thing. You really use the right configuration. On this Checkmarx rule, I find a lot of False Positive in some scan. Anyway,try to add this lines to your web.xml in the filter configuration :

<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>

<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>

Answer 2

I got this error in check Marx violations in the JSP where a scriptlet tag is used to execute java source code in JSP. Syntax is as follows: <% java source code %>

So I fixed it just by providing 

<% response.setHeader("Strict-Transport-Security" ,"max-age=7776000" ); %>

Also made changes in java code , a class file and web.xml changes : 

web.xml : 

    <filter>
        <filter-name>HSTSFilter</filter-name>
        <filter-class>com.abc.gbm.test.config.HSTSFilter</filter-class>
        <init-param>
            <param-name>maxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>

        <init-param>
            <param-name>includeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HSTSFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    

Java class filter : 
package com.abc.gbm.test.config;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class HSTSFilter implements Filter {
 private static final String HEADER_NAME = "Strict-Transport-Security";
 private static final String MAX_AGE_DIRECTIVE = "max-age=%s";
 private static final String INCLUDE_SUB_DOMAINS_DIRECTIVE = "includeSubDomains";
 private static final Logger logger = LoggerFactory.getLogger(HSTSFilter.class);

 private int maxAgeSeconds = 0;
 private boolean includeSubDomains = false;
 private String directives;

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
   throws IOException, ServletException {
  logger.info("request.isSecure() :: {}" , request.isSecure());

  if (request.isSecure() && response instanceof HttpServletResponse) {
   HttpServletResponse res = (HttpServletResponse) response;
   res.addHeader(HEADER_NAME, this.directives);
  }
  chain.doFilter(request, response);
 }

 public void init(FilterConfig filterConfig) throws ServletException {
  maxAgeSeconds = Integer.parseInt(filterConfig.getInitParameter("maxAgeSeconds"));
  includeSubDomains = "true".equals(filterConfig.getInitParameter("includeSubDomains"));

  if (this.maxAgeSeconds <= 0) {
   throw new ServletException("Invalid maxAgeSeconds value :: " + maxAgeSeconds);
  }

  this.directives = String.format(MAX_AGE_DIRECTIVE, this.maxAgeSeconds);
  if (this.includeSubDomains) {
   this.directives += (" ; " + INCLUDE_SUB_DOMAINS_DIRECTIVE);
  }
  System.out.println("directives :: "+directives);
 }

 @Override
 public void destroy() {
 }
}