Versions Compared

Old Version 1

changes.mady.by.user Karl Henselin

Saved on

compared with

New Version Current

changes.mady.by.user Chandresh Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.

Please add this in web.xml (under webapps/flexdeploy/WEB-INF)

Code Block
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
</filter>

Now this filter-mapping should be added as first filter-mapping in this file.

...

In your setenvoverride.sh or setenvoverride.bat file, set HSTS to 1.

To Disable, set HSTS to 0.

Linux

Code Block
# Set FLEXDEPLOY_HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work.
# Set FLEXDEPLOY_HSTS to 0 to disable HSTS. This allows HTTP connections to work.
export FLEXDEPLOY_HSTS=1

Windows

Code Block
@rem Set FLEXDEPLOY_HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work.
@rem Set FLEXDEPLOY_HSTS to 0 to disable HSTS. This allows HTTP connections to work.
set FLEXDEPLOY_HSTS=1

Linux

Code Block
# Set FLEXDEPLOY_COOKIE_SECURE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS.
# Set FLEXDEPLOY_COOKIE_SECURE to 0 to disable secure session cookies. This allows HTTP connections to work.
export FLEXDEPLOY_COOKIE_SECURE=1

Windows

Code Block
@rem Set FLEXDEPLOY_COOKIE_SECURE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS.
@rem Set FLEXDEPLOY_COOKIE_SECURE to 0 to disable secure session cookies. This allows HTTP connections to work.
set FLEXDEPLOY_COOKIE_SECURE=1