HSTS in PM Jetty
search cancel

HSTS in PM Jetty


Article ID: 238552


Updated On:


CA Performance Management - Usage and Administration


I am currently running 21.2.2 and plan to upgrade to 21.2.9 next week. I need to know how to configure jetty to support HSTS.


Plugin Output: 
  The remote HTTPS server does not send the HTTP
  ""Strict-Transport-Security"" header.


Dx NetOps Performance Management 21.2.9


This can be done in custom headers

In 21.2.9 out of the box we use:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'self'; font-src 'self'; frame-src 'self'|X-Frame-Options: SAMEORIGIN|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy: 'none'|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

You can use SsoConfig to set Remote Value (so DA gets the same changes) to the OOTB 21.2.9 value and adjust  the headers to be whatever you want



Possibly consider changing max-age.  Maybe make it shorter.  It should come into play with relation to how long to trust the https cert.

The out of the box value is 730 days, aka 2 yrs.    You might reduce it in 1/2 to 1 year, 31536000 which is what most certs are good for now.