Configure HTTP Strict Transport Security

1 minute readSecurity

HTTP Strict Transport Security (HSTS) a simple and widely-supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS.

To configure HSTS:

  1. Open the <Tomcat>/conf/web.xml file in a text editor.

  2. Remove the following:

    • httpHeaderSecurity filter definition

    • <filter-mapping> section

  3. Add the hstsMaxAgeSeconds parameter.

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
  4. Save changes.

  5. Restart Tomcat.