Security Hardening options for FlexDeploy

The HTTP HSTS is a mechanism that allows websites to declare that they can be only accessed via secure connection (HTTPS).

HTTP Strict-Transport-Security (HSTS) in Apache Tomcat can be enabled by following these steps. These steps are manual and will need to be performed every time FlexDeploy application is upgraded. If you are installing or upgrading, please follow all steps for install / upgrade and start Tomcat server. Once that is completed, stop Tomcat to perform following steps.

In your setenvoverride.sh or setenvoverride.bat file, set HSTS to 1.

To Disable, set HSTS to 0.

Linux

# Set FLEXDEPLOY_HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work. # Set FLEXDEPLOY_HSTS to 0 to disable HSTS. This allows HTTP connections to work. export FLEXDEPLOY_HSTS=1

Windows

@rem Set FLEXDEPLOY_HSTS to 1 to enable HSTS. This allows only HTTPS browser connections to work. @rem Set FLEXDEPLOY_HSTS to 0 to disable HSTS. This allows HTTP connections to work. set FLEXDEPLOY_HSTS=1

If you enable HSTS, you probably want to also set FLEXDEPLOY_COOKIE_SECUREto 1 in addition.

Linux

# Set FLEXDEPLOY_COOKIE_SECURE to 1 to enable secure session cookies. This requires HTTPS, or a load balancer using HTTPS. # Set FLEXDEPLOY_COOKIE_SECURE to 0 to disable secure session cookies. This allows HTTP connections to work. export FLEXDEPLOY_COOKIE_SECURE=1

Windows

The following macros are not currently supported in the footer:
  • style