Versions Compared

Old Version 1

changes.mady.by.user Karl Henselin

Saved on

compared with

New Version 2

changes.mady.by.user Karl Henselin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.

Please add this in web.xml (under webapps/flexdeploy/WEB-INF)

Code Block
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
</filter>

Now this filter-mapping should be added as first filter-mapping in this file.

...

In your setenvoverride.sh or setenvoverride.bat file, set HSTS to 1.

To Disable, set HSTS to 0.

Linux

Code Block
# Set HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work.
# Set HSTS to 0 to disable HSTS. This allows HTTP connections to work.
HSTS=0

Windows

Code Block
@rem Set HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work.
@rem Set HSTS to 0 to disable HSTS. This allows HTTP connections to work.
set HSTS=0

If you enable HSTS, you probably want to also set SECURE_COOKIE to 1 in addition.

Linux

Code Block
# Set SECURE_COOKIE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS.
# Set SECURE_COOKIE to 0 to disable secure session cookies. This allows HTTP connections to work.
SECURE_COOKIE=0

Windows

Code Block
@rem Set SECURE_COOKIE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS.
@rem Set SECURE_COOKIE to 0 to disable secure session cookies. This allows HTTP connections to work.
set SECURE_COOKIE=0