The HTTP HSTS is a mechanism that allows websites to declare that they can be only accessed via secure connection (HTTPS).
HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.
In your setenvoverride.sh or setenvoverride.bat file, set HSTS to 1.
To Disable, set HSTS to 0.
Linux
# Set HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work. # Set HSTS to 0 to disable HSTS. This allows HTTP connections to work. HSTS=0
Windows
@rem Set HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work. @rem Set HSTS to 0 to disable HSTS. This allows HTTP connections to work. set HSTS=0
If you enable HSTS, you probably want to also set SECURE_COOKIE to 1 in addition.
Linux
# Set SECURE_COOKIE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS. # Set SECURE_COOKIE to 0 to disable secure session cookies. This allows HTTP connections to work. SECURE_COOKIE=0
Windows
@rem Set SECURE_COOKIE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS. @rem Set SECURE_COOKIE to 0 to disable secure session cookies. This allows HTTP connections to work. set SECURE_COOKIE=0