I have edited the web.xml to enable the HttpHeaderSecurityFilter, added a few params and restarted Tomcat. I'm not seeing the strict-transport-security in the response header.
I have performed the same steps on several Tomcat 9 installations with the same values in web.xml and it works as expected.
The pertinent entries in web.xml (some of the params are default and I know are not needed but I added while trying to work through this issue):
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
ServerInfo:
Server version: Apache Tomcat/7.0.82
Server built: Sep 29 2017 12:23:15 UTC
Server number: 7.0.82.0
OS Name: Linux
OS Version: 3.10.0-1062.12.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_131-b11
JVM Vendor: Oracle Corporation
