Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0
search cancel

Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0


Article ID: 226769


Updated On:


Data Center Security Server Advanced Data Center Security Server


How to enable HTTP Strict Transport Security (HSTS) for Data Center Security(DCS, DCS:SA)  with Tomcat 9.0 on port 443 and 8443.


Release: DCS, DCS:SA  6.9.0, 6.9.1

Component: Tomcat 9.0


More information can be found here:



To enable HSTS in Tomcat 9.0, follow below steps:

  • Stop management server service.
  • Take a backup of configuration file <server_install_dir>/tomcat/conf/web.xml
  • Open the <server_install_dir>/tomcat/conf/web.xml file in a text editor.
  • Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, as shown below. (uncomment ‘httpHeaderSecurity’ at 2
    places in the file)

Modify/Update "httpHeaderSecurity" filter within Tomcat web.xml with following values:


 Uncomment the below section:



The above filter values represents:

hstsEnabled (true) : HTTP Strict Transport Security (HSTS) header to be added to the response.
hstsMaxAgeSeconds (31556927) : The one year age value that should be used in the HSTS header.
hstsIncludeSubDomains (true) : The includeSubDomains parameter to be included in the HSTS header.

More information@ https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html 

Following value is getting set as a part of response header.

"Strict-Transport-Security: max-age=31556927;includeSubDomains"

  • Save the file
  • Start management server service



  • In addition to the above steps, a 3rd party certificate is required to be used in order to successfully enable HSTS.
  • HSTS does not support self-signed certificates.