Securing Liberty by using HTTP Strict Transport Security (HSTS)

You can secure Liberty by adding STS response header for HTTPS requests at the web application level or at the server level. To enable HTTP Strict Transport Security (HSTS) at the web application level, set a web application context-parameter. To enable HSTS at the server level, set the server level webcontainer custom property, or add IBM HTTP Server as a front end to Liberty.

Securing HSTS at the web application level using a context parameter
Securing HSTS at the server level
Add IBM HTTP Server as a front end to Liberty

Securing HSTS at the web application level using a context parameter

To enable this function, first verify the server has an SSL end point defined. See Enabling SSL communication in Liberty for details.

Then set a web application context-parameter.

Use the following param-name to add a context parameter in the web.xml for the application, the param-value provided here is an example,

<context-param>
   <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param-name>
   <param-value>max-age=31536000; includeSubDomains;preload</param-value>
</context-param>

Securing HSTS at the server level

To enable this function, first verify the server has an SSL end point defined. See Enabling SSL communication in Liberty for details.
Add the server level custom property by using the following property name , the value provided is an example,
```
com.ibm.ws.webcontainer.addStrictTransportSecurityHeader="max-age=31536000;includeSubDomains"
```
The server level custom property needs to be added in server.xml. The server level custom property full name, com.ibm.ws.webcontainer.addStrictTransportSecurityHeader, OR short name, addstricttransportsecurityheader, can be used. Using the short name is provided in an example.
```
<webContainer addstricttransportsecurityheader="max-age=31536000;includeSubDomains" />
```

Note:

If the server level custom property is set, but the user needs to remove or unset the property for a web application, then add param-value to the context-param.
```
<context-param>
<param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param
-name> <param-value>max-age=-1</param-value>
  </context-param>
```
If both the web application context-param and the server level custom property are provided, the context-param value takes precedence over the server level value for that web application.

Add IBM HTTP Server as a front end to Liberty

See Add a plug-in configuration to a web server for details.