ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0

book

Article ID: 226769

calendar_today

Updated On:

Products

Data Center Security Server Advanced Data Center Security Server

Issue/Introduction

How to enable HTTP Strict Transport Security (HSTS) for Data Center Security(DCS, DCS:SA)  with Tomcat 9.0 on port 443 and 8443.

Cause

More information can be found here:

https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html 

Environment

Release: DCS, DCS:SA  6.9.0, 6.9.1

Component: Tomcat 9.0

Resolution

To enable HSTS in Tomcat 9.0, follow below steps:

  • Stop management server service.
  • Take a backup of configuration file <server_install_dir>/tomcat/conf/web.xml
  • Open the <server_install_dir>/tomcat/conf/web.xml file in a text editor.

Modify/Update "httpHeaderSecurity" filter within Tomcat web.xml with following values:

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31556927</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>

 

The above filter values represents:

hstsEnabled (true) : HTTP Strict Transport Security (HSTS) header to be added to the response.
hstsMaxAgeSeconds (31556927) : The one year age value that should be used in the HSTS header.
hstsIncludeSubDomains (true) : The includeSubDomains parameter to be included in the HSTS header.


More [email protected] https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html 

Following value is getting set as a part of response header.

"Strict-Transport-Security: max-age=31556927;includeSubDomains"

 

Note:

  • In addition to the above steps, a 3rd party certificate is required to be used in order to successfully enable HSTS.
  • HSTS does not support self-signed certificates.