HTTP Strict-Transport-Security (HSTS)
The Verj.io system supplies a HTTP Filter to enable HTTP Strict-Transport-Security (HSTS) headers. As default this filter is disabled. See configuration to enable HSTS.
The HTTP Strict-Transport-Security (HSTS) response header lets a web
site tell the browser that it should only be accessed using HTTPS, instead of
HTTP. HSTS is defined in the RFC6797
specification.
The first time a website
is accessed using HTTPS and receives the Strict-Transport-Security response
header, the browser records this information. All subsequent calls are automatically
forwarded to HTTPS even if they are attempted using HTTP.
The header protects from
man-in-the-middle attacks.
The
HSTS headers are generated by the org.apache.catalina.filters.HttpHeaderSecurityFilter implemented in the web.xml file of the Verj.io application on the server. Once this filter
has been enabled, the Strict-Transport-Security
headers will be applied to the response. The filter also adds the X-Frame-Options and X-Content-Type-Options HTTP headers to
the response.
Here
is an example of more advanced configuration of this filter, click here for further details:
<!--
================== Built In Filter Definitions ===================== -->
<!-- A filter that sets various security
related HTTP Response headers. -->
<!-- This filter
supports the following initialization parameters -->
<!-- (default values are in square
brackets): -->
<!--
-->
<!-- hstsEnabled
Should the HTTP Strict Transport Security -->
<!-- (HSTS) header be added
to the response? See -->
<!-- RFC 6797 for more
information on HSTS. [true] -->
<!-- -->
<!-- hstsMaxAgeSeconds
The max age value that should be used in the -->
<!-- HSTS header. Negative
values will be treated -->
<!-- as zero. [0] -->
<!--
-->
<!-- hstsIncludeSubDomains
-->
<!-- Should the includeSubDomains parameter be -->
<!-- included in the HSTS
header. -->
<!--
-->
<!-- antiClickJackingEnabled -->
<!-- Should the anti click-jacking
header -->
<!-- X-Frame-Options be added
to every response? -->
<!-- [true] -->
<!-- -->
<!-- antiClickJackingOption -->
<!-- What value should be
used for the header. Must -->
<!-- be one of DENY,
SAMEORIGIN, ALLOW-FROM -->
<!-- (case-insensitive).
[DENY] -->
<!--
-->
<!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should
be -->
<!-- allowed? [] -->
<!--
-->
<!-- blockContentTypeSniffingEnabled -->
<!-- Should the header that
blocks content type -->
<!-- sniffing be added to
every response? [true] -->
<!--
-->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<!-- The mapping for the HTTP header security
Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>