Enabling the Strict-Transport-Security header
You can configure the Strict-Transport-Security header settings to
help you protect your site against man-in-the-middle attack. This header informs the browser
that it should never load a site using HTTP and should automatically convert all attempts to
access the site using HTTP to HTTPS requests instead.
About this task
Use these instructions to set your servers to allow browsers access via HTTPS, but not HTTP.
For more information about this header, please see the Mozilla.org documentation page.
The following are possible values for your
Strict-Transport-Security header:- max-age=<expire-time>
- The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains (Optional)
- If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
- preload (Optional)
- See Preloading Strict Transport Security for details. Not part of the specification.
Procedure
-
The Transaction Server’s
HttpSecurityFilterclass addsStrict-Transport-Securityheader to the response based on the configuration specified in the foundation wc-component.xml. It is enabled by default for the following REST-Transaction WAR by default as follows:<_config:configgrouping name="HttpSecuritySettings_Rest-Transaction"> <!-- Set the value of Strict-Transport-Security. Empty value will disable this header. Default value of 31536000 seconds is 1 year. --> <_config:property name="Strict-Transport-SecurityHeader" value="max-age=31536000; includeSubDomains"/> </_config:configgrouping> -
To customize the
Strict-Transport-Securityheader value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).