Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0
search cancel

Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0

book

Article ID: 226769

calendar_today

Updated On:

Products

Data Center Security Server Advanced Data Center Security Server

Issue/Introduction

How to enable HTTP Strict Transport Security (HSTS) for Data Center Security(DCS, DCS:SA)  with Tomcat 9.0 on port 443 and 8443.

Environment

Release: DCS, DCS:SA  6.9.0, 6.9.1

Component: Tomcat 9.0

Cause

Resolution

To enable HSTS in Tomcat 9.0, follow below steps:

  • Stop management server service.
  • Take a backup of configuration file <server_install_dir>/tomcat/conf/web.xml
  • Open the <server_install_dir>/tomcat/conf/web.xml file in a text editor.
  • Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, as shown below. (uncomment ‘httpHeaderSecurity’ at 2
    places in the file)

Modify/Update "httpHeaderSecurity" filter within Tomcat web.xml with following values:

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>

 Uncomment the below section:

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

The above filter values represents:

hstsEnabled (true) : HTTP Strict Transport Security (HSTS) header to be added to the response.
hstsMaxAgeSeconds (31536000) : The one year age value that should be used in the HSTS header.
hstsIncludeSubDomains (true) : The includeSubDomains parameter to be included in the HSTS header.


More information@ https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html 

Following value is getting set as a part of response header.

"Strict-Transport-Security: max-age=31536000;includeSubDomains"

  • Save the file
  • Start management server service

 

Note:

  • In addition to the above steps, a 3rd party certificate is required to be used in order to successfully enable HSTS.
  • HSTS does not support self-signed certificates.
Powered by Wolken Software