Securing Liberty by using HTTP Strict Transport Security (HSTS)
You can secure Liberty by adding STS response header for HTTPS requests at the web application level or at the server level. To enable HTTP Strict Transport Security (HSTS) at the web application level, set a web application context-parameter. To enable HSTS at the server level, set the server level webcontainer custom property, or add IBM HTTP Server as a front end to Liberty.
Securing HSTS at the web application level using a context parameter
- To enable this function, first verify the server has an SSL end point defined. See Enabling SSL communication in Liberty for details.
- Then set a web application context-parameter.Use the following param-name to add a context parameter in the web.xml for the application, the
param-value
provided here is an example,<context-param> <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param-name> <param-value>max-age=31536000; includeSubDomains;preload</param-value> </context-param>
Securing HSTS at the server level
- To enable this function, first verify the server has an SSL end point defined. See Enabling SSL communication in Liberty for details.
- Add the server level custom property by using the following property name , the value provided
is an
example,
com.ibm.ws.webcontainer.addStrictTransportSecurityHeader="max-age=31536000;includeSubDomains"
The server level custom property needs to be added in server.xml. The server level custom property full name,com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
, OR short name,addstricttransportsecurityheader
, can be used. Using the short name is provided in an example.<webContainer addstricttransportsecurityheader="max-age=31536000;includeSubDomains" />
Note:
- If the server level custom property is set, but the user needs to remove or unset the property
for a web application, then add param-value to the
context-param.
<context-param> <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param -name> <param-value>max-age=-1</param-value> </context-param>
- If both the web application context-param and the server level custom property are provided, the context-param value takes precedence over the server level value for that web application.
Add IBM HTTP Server as a front end to Liberty
See Add a plug-in configuration to a web server for details.