Securing the application server by using HTTP Strict Transport Security (HSTS)

You can secure WebSphere® Application Server Network Deployment by adding STS response header for HTTPS requests at the web application level or at the server level. To enable HTTP Strict Transport Security (HSTS) at the web application level, set a web application context-parameter. To enable HSTS at the server level, set server level webcontainer custom property, or set up HSTS in IBM HTTP server, then set up IBM HTTP Server as a front end to WebSphere Application Server Network Deployment.

Securing a web application using a context parameter

Edit the web.xml for the application and add a context parameter with the

com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP

param-name. (Note that the param-value provided here is an example.)

<context-param>
   <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param-name>
   <param-value>max-age=31536000; includeSubDomains; preload</param-value>
</context-param>

Note: If the server-level custom property is set (according to the instructions in the next section) and you need to remove the property for a web application, then add a max-age param-value to the context-param with a setting of -1.

<context-param>
   <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param-name>
   <param-value>max-age=-1</param-value>
</context-param>

Securing the application server using HSTS in a web container custom property

To enable security for the application server, set a server-level custom property using the following property name. (Note that the value provided here is an example). For more information, see Web container custom properties.

com.ibm.ws.webcontainer.addStrictTransportSecurityHeader="max-age=31536000; includeSubDomains"

Note: If both the web application context-param and the server-level custom property are set, the context-param value will take precedence over the server-level value for that web application.

Avoid trouble:

This configuration change requires an application server restart to take effect.

Securing the Deployment Manager

HSTS can be enabled on the Deployment Manager with the following script:

$ bin/wsadmin.sh -lang jython
dmgr = AdminConfig.getid("/Server:dmgr/")
webcontainer = AdminConfig.list("WebContainer", dmgr) 
AdminConfig.create("Property", webcontainer, [["name", "com.ibm.ws.webcontainer.addStrictTransportSecurityHeader"],["value", "max-age=31536000; includeSubDomains"]])
AdminConfig.show(webcontainer)
AdminConfig.save()

The default port number is 9043. The deployment manager needs to be restarted for this configuration change to take effect.

Securing Node Agent SOAP Connector address ports

This SOAP port is used for internal interprocess communication and is not accessed by browsers that interpret HSTS headers. The default port number is 8880. Configuring HSTS is not applicable for this port, although direct security scans of this application server port may still report a false positive of missing HSTS headers.

1. Set up IBM® HTTP Server.

   See the topic on setting up HTTP Strict Transport Security (HSTS).

2. Add IBM HTTP Server as a front end to your application server environment.

   See the topic on installing and configuring web server plug-ins to determine which option is best for your application server environment.

   This procedure enables HSTS browsers that access enterprise applications by using IHS, but direct security scans of application server ports might still report missing HSTS headers.