HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.
Please add this in web.xml (under webapps/flexdeploy/WEB-INF)
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter>
Now this filter-mapping should be added as first filter-mapping in this file.
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>