Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The HTTP HSTS is a mechanism that allows websites to declare that they can be only accessed via secure connection (HTTPS).

HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.

Please add this in web.xml (under webapps/flexdeploy/WEB-INF)

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
</filter>

Now this filter-mapping should be added as first filter-mapping in this file.


<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>


  • No labels