Skip to main content
Question

Add How-To Enable HSTS within HTTPS Documentation - Already Implemented

sameer
Contributor
Forum|alt.badge.img+15

Not sure if it might benefit others but I’ve recently had to enable HSTS to harden the HTTP redirect from Port 80 to 443.

Edited the web.xml file and located the HSTS Comments. (~Line 468)

Added the below filters

 

<!-- Enable HSTS   -->

<filter>    
<filter-name>
httpHeaderSecurity
</filter-name>

    
<filter-class>
org.apache.catalina.filters.HttpHeaderSecurityFilter
</filter-class>

    
<init-param>

        
<param-name>
hstsEnabled
</param-name>

        
<param-value>
true
</param-value>

    
</init-param>

    
<init-param>

        
<param-name>
hstsMaxAgeSeconds
</param-name>

        
<param-value>
31536000
</param-value>

    
</init-param>

    
<init-param>

        
<param-name>
hstsIncludeSubDomains
</param-name>

        
<param-value>
true
</param-value>

    
</init-param>

    
<init-param>

        
<param-name>
hstsPreload
</param-name>

        
<param-value>
true
</param-value>

    
</init-param>

    
<init-param>

        
<param-name>
antiClickJackingOption
</param-name>

        
<param-value>
ALLOW-FROM
</param-value>

    
</init-param>

    
<init-param>

        
<param-name>
antiClickJackingUri
</param-name>

        
<param-value>
https://OUR_PRIMARY_DOMAIN.HERE
</param-value>

    
</init-param>

    
<async-supported>
true
</async-supported>

</filter>


<!-- Enable HSTS Filter  -->

<filter-mapping>

    
<filter-name>
httpHeaderSecurity
</filter-name>

    
<url-pattern>
/*
</url-pattern>

    
<dispatcher>
REQUEST
</dispatcher>

</filter-mapping>

 

My PowerShell script to check if it’s enabled:
PS: Maximum redirection can obviously be amended. If maxage… is returned then HSTS is enabled. Alternative is to check the Header using your Internet Browser’s Developer Tools.

#Author: Sameer Abdool

#Create Date: 22/02/2024

#Purpose: Check if HSTS Policy is enabled

 

#Replace value of ServerName

$ServerName = "YourServerName"

 

#Build URL

$Domain = ".your.domain.com"

$URL = "https://$ServerName$Domain"

 

#Check URL is correct

Write-Host "$URL"

 

#Trust All Certificates - This avoids trust relationship for the SSL/TLS secure channel in PowerShell

add-type @"

   using System.Net;

   using System.Security.Cryptography.X509Certificates;

   public class TrustAllCertsPolicy : ICertificatePolicy {

      public bool CheckValidationResult(

      ServicePoint srvPoint, X509Certificate certificate,

      WebRequest request, int certificateProblem) {

      return true;

   }

}

"@

[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

 

#Get the response headers by pulling out its Headers property

Invoke-WebRequest -Uri $URL -MaximumRedirection 10 | Select-Object -ExpandProperty Headers

2 replies

steveatsafe
Safer
Forum|alt.badge.img+12
  • steveatsafeSafer
  • Safer
  • October 3, 2024

@sameer 
Thanks for this post and for joining the “FME Flow Fundamentals for Admins” webinar this morning for sharing this question. 

I see we do have an article on enabling HSTS header, https://support.safe.com/hc/en-us/articles/25407468300173-Enabling-HTTP-Response-Headers-to-Secure-the-FME-Server-Web-Application-Server

I also see an issue reported against FME Flow when this is configured so it is good that you have had success. 

The request is to have HSTS Header enabled by default.  Feel free to create a support ticket so we can attach the ticket to the enhancement request.

SteveatSafe
sameer
1 person upvoted this
  • sameer
    sameer
steveatsafe
Safer
Forum|alt.badge.img+12
  • steveatsafeSafer
  • Safer
  • October 23, 2024

Hi again @sameer,
Thanks for connecting with us on this subject. 

As we’ve recently shared in the support ticket that we opened, the biggest reason for not enabling HSTS Header by default is due to an issue that appears with the FME Flow Dashboards. The issue remains and we do not have a timeline on fixing.

So anyone that does enable the HSTS Header will experience a blank page for the Dashboards.  The issue is recorded as FMEFLOW-22805.

We also noted that the additional parameters/configurations shared don’t seem to apply one way or the other to a successful HSTS Header enabling. So you can follow our documentation if enabling HSTS Header is a must.   Just know, Dashboards will not work.

This is all we can share at this time.  Thanks again! 

SteveatSafe

Reply


Helpful Members This Week

Community Stats

31,075
Posts
117,812
Replies
38,835
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.