search cancel

HSTS in PM Jetty

book

Article ID: 238552

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

I am currently running 21.2.2 and plan to upgrade to 21.2.9 next week. I need to know how to configure jetty to support HSTS.

 

Plugin Output: 
  The remote HTTPS server does not send the HTTP
  ""Strict-Transport-Security"" header.

Environment

Dx NetOps Performance Management 21.2.9

Resolution

This can be done in custom headers

 

In 21.2.9 out of the box we use:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'self'; font-src 'self'; frame-src 'self'|X-Frame-Options: SAMEORIGIN|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy: 'none'|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Specifically:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

 

You can use SsoConfig to set Remote Value (so DA gets the same changes) to the OOTB 21.2.9 value and adjust  the headers to be whatever you want

 

Possibly consider changing max-age.  Maybe make it shorter.  It should come into play with relation to how long to trust the https cert.

The out of the box value is 730 days, aka 2 yrs.    You might reduce it in 1/2 to 1 year, 31536000 which is what most certs are good for now.