Cybersecurity
DevOps Cloud
IT Operations Cloud
HTTP Strict Transport Security (HSTS) is a web security policy mechanism, which helps protect web application users against some passive (eavesdropping) and active network attacks. To enable HSTS for Service Manager (web tier, SRC, or Mobility Client), you only need to enable HSTS in the web server (Apache or IIS) or the web application server (Tomcat or WebSphere) so that an HTTP header named Strict-Transport-Security is added when an HTTPS session has already been established.
Important
The following are instructions on how to enable HSTS in the supported web servers and web application servers.
Note
This is supported for Tomcat 8 (8.0.23 and later).
To enable HSTS in Tomcat, follow these steps:
Uncomment the httpHeaderSecurity
filter definition and the <filter-mapping>
section, and then add the hstsMaxAgeSeconds
parameter, as shown below.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
for additional information see