HTTP Strict-Transport-Security (HSTS)

 

Documentation home

 

 

The Verj.io system supplies a HTTP Filter to enable HTTP Strict-Transport-Security (HSTS) headers. As default this filter is disabled. See configuration to enable HSTS.

 

 

HTTP Strict-Transport-Security (HSTS)

 

The HTTP Strict-Transport-Security (HSTS) response header lets a web site tell the browser that it should only be accessed using HTTPS, instead of HTTP. HSTS is defined in the RFC6797 specification.

 

The first time a website is accessed using HTTPS and receives the Strict-Transport-Security response header, the browser records this information.  All subsequent calls are automatically forwarded to HTTPS even if they are attempted using HTTP.

 

The header protects from man-in-the-middle attacks.

 

Enabling HSTS

 

The HSTS headers are generated by the org.apache.catalina.filters.HttpHeaderSecurityFilter implemented in the web.xml file of the Verj.io application on the server. Once this filter has been enabled, the Strict-Transport-Security headers will be applied to the response. The filter also adds the X-Frame-Options and X-Content-Type-Options HTTP headers to the response.

 

Here is an example of more advanced configuration of this filter, click here for further details:

 

<!-- ================== Built In Filter Definitions ===================== -->
 
<!-- A filter that sets various security related HTTP Response headers.   -->
<!-- This filter supports the following initialization parameters         -->
<!-- (default values are in square brackets):                             -->
<!--                                                                      -->
<!--   hstsEnabled         Should the HTTP Strict Transport Security      -->
<!--                       (HSTS) header be added to the response? See    -->
<!--                       RFC 6797 for more information on HSTS. [true]  -->
<!--                                                                      -->
<!--   hstsMaxAgeSeconds   The max age value that should be used in the   -->
<!--                       HSTS header. Negative values will be treated   -->
<!--                       as zero. [0]                                   -->
<!--                                                                      -->
<!--   hstsIncludeSubDomains                                              -->
<!--                       Should the includeSubDomains parameter be      -->
<!--                       included in the HSTS header.                   -->
<!--                                                                      -->
<!--   antiClickJackingEnabled                                            -->
<!--                       Should the anti click-jacking header           -->
<!--                       X-Frame-Options be added to every response?    -->
<!--                       [true]                                         -->
<!--                                                                      -->
<!--   antiClickJackingOption                                             -->
<!--                       What value should be used for the header. Must -->
<!--                       be one of DENY, SAMEORIGIN, ALLOW-FROM         -->
<!--                       (case-insensitive). [DENY]                     -->
<!--                                                                      -->
<!--   antiClickJackingUri IF ALLOW-FROM is used, what URI should be      -->
<!--                       allowed? []                                    -->
<!--                                                                      -->
<!--   blockContentTypeSniffingEnabled                                    -->
<!--                       Should the header that blocks content type     -->
<!--                       sniffing be added to every response? [true]    -->

<!--                                                                      -->


<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>false</param-value>
  </init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>