Enable HTTP Strict Transport Security (HSTS) Headers¶
Enable HTTP Strict Transport Security (HSTS) headers for the applications deployed in your server, to confirm that the relevant headers are present in the HTTP response. HSTS is not enabled for applications in the WSO2 Identity Server by default.
Note
HSTS should not be enabled in development environments because transport security validations can interrupt the development processes by validating signatures of self-signed certificates.
Enable for Console¶
If the HttpHeaderSecurityFilter
element is available in the <IS_HOME>/repository/conf/tomcat/console/WEB-INF/web.xml
file as shown below, it implies that security headers are by default configured for the WSO2 Identity Server Consoles of all of your profiles.
However, in a production deployment, Strict-Transport-Security needs to be explicitly enabled by replacing the default HttpHeaderSecurityFilter
filter.
Following is the default filter configuration.
<!-- Tomcat http header security filter -->
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
Shown below is how you should explicitly enable HSTS.
<!-- Tomcat http header security filter -->
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>15768000</param-value>
</init-param>
</filter>
Enable for web applications¶
Similar to the WSO2 Identity Server Console, check whether the HttpHeaderSecurityFilter
stored in the <IS_HOME>/repository/deployment/server/webapps/
directory is available in the web.xml
file of that particular web application. If the filter is available, enable HSTS as shown below.
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>