Administer > System security > Support of the HTTP Strict Transport Security protocol

Support of the HTTP Strict Transport Security protocol

HTTP Strict Transport Security (HSTS) is a web security policy mechanism, which helps protect web application users against some passive (eavesdropping) and active network attacks. To enable HSTS for Service Manager (web tier, SRC, or Mobility Client), you only need to enable HSTS in the web server (Apache or IIS) or the web application server (Tomcat or WebSphere) so that an HTTP header named Strict-Transport-Security is added when an HTTPS session has already been established.

  • If you are using a web server in front of your web application server, you only need to enable HSTS in the web server; otherwise, you need to enable HSTS in the web application server. However, be aware that if you are using WebSphere, you must configure an IBM HTTP Server in front of WebSphere and enable HSTS in the IBM HTTP Server.
  • HSTS works only for ports 80 and 443. Make sure your web server or web application server is configured to use port 80 for HTTP and port 443 for HTTPS.
  • To use HSTS, be sure to enable the secureLogin parameter in the Service Manager web tier, SRC, and Mobility Client and configure SSL between the web application server and browser.

The following are instructions on how to enable HSTS in the supported web servers and web application servers.

How to enable HSTS in Tomcat

Note This is supported for Tomcat 8 (8.0.23 and later).

To enable HSTS in Tomcat, follow these steps:

  1. Open the <Tomcat>/conf/web.xml file in a text editor.
  2. Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, and then add the hstsMaxAgeSeconds parameter, as shown below.

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
  3. Save the file.
  4. Restart Tomcat.

How to enable HSTS in WebSphere

You cannot directly enable HSTS in WebSphere. You must configure an IBM HTTP Server in front of WebSphere and then enable HSTS in the IBM HTTP Server.

For details, see the following IBM knowledge article: Setting up HTTP Strict Transport Security (HSTS).

How to enable HSTS in Apache

To enable HSTS in an Apache server, follow these steps:

  1. Open the <Apache>/conf/httpd.conf file in a text editor.

  2. Uncomment the header module:

    LoadModule headers_module modules/mod_headers.so
  3. Add a header setting in the VirtualHost section:

    <VirtualHost www.example.com:80>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    </VirtualHost>
  4. Restart Apache.

How to enable HSTS in IIS

To enable HSTS in IIS, do the following:

  1. Add a Strict-Transport-Security header to the web.config file under the IIS installation root directory:

    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
      </httpProtocol>
    </system.webServer>
    
  2. Restart IIS.