Originally posted by Angel Dobbs-Sciortino:
I don't think I can say the reason for encrypting the headers without violating the confidentiality clause in my contract. But it is something I need to attempt to do.
Understandable.
I think you're going to need to selectively encrypt the headers unless you have a proxy server that can decrypt them before they get to
Tomcat (or whatever app server you're using). If you encrypt the content-length header for example, the socket won't know when the POSTs have completed. I can picture similar problems with the JSPSessionID.
They're all stored in a map so it shouldn't be difficult for your wrapper to pull them all out and return your new (encrypted), versions.