ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0


Article ID: 226769


Updated On:


Data Center Security Server Advanced Data Center Security Server


How to enable HTTP Strict Transport Security (HSTS) for Data Center Security(DCS, DCS:SA)  with Tomcat 9.0 on port 443 and 8443.


More information can be found here: 


Release: DCS, DCS:SA  6.9.0, 6.9.1

Component: Tomcat 9.0


To enable HSTS in Tomcat 9.0, follow below steps:

  • Stop management server service.
  • Take a backup of configuration file <server_install_dir>/tomcat/conf/web.xml
  • Open the <server_install_dir>/tomcat/conf/web.xml file in a text editor.

Modify/Update "httpHeaderSecurity" filter within Tomcat web.xml with following values:



The above filter values represents:

hstsEnabled (true) : HTTP Strict Transport Security (HSTS) header to be added to the response.
hstsMaxAgeSeconds (31556927) : The one year age value that should be used in the HSTS header.
hstsIncludeSubDomains (true) : The includeSubDomains parameter to be included in the HSTS header.

More [email protected] 

Following value is getting set as a part of response header.

"Strict-Transport-Security: max-age=31556927;includeSubDomains"



  • In addition to the above steps, a 3rd party certificate is required to be used in order to successfully enable HSTS.
  • HSTS does not support self-signed certificates.