Add HSTS feature to Tomcat

Question

Trust you all well.

My web application run on tomcat 6.0.43 and do not use apache or nginx at front.

I'm already enforce my web from http redirect to https using:

1. URL Redirect at ../webapps/ROOT/index.jsp

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

2. ../webapps/myapp/WEB-INF/web.xml

<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

Where to add such code below

Header add Strict-Transport-Security "max-age=15768000"

OR Is tomcat did not have this feature? Or I need to modify in every my java web app controller.

Answer 1

If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurity filter definition in tomcat/conf/web.xml

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

and add a useful max age param:

<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>

Don't forget to uncomment filter mapping:

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Answer 2

You can add it using a filter. Add the following snippet to web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

Its also possible to add the filter using the global web.xml (conf/web.xml).

Answer 3

Use url-rewrite.

1. Create a url-rewrite config file and put it into your web application's WEB-INF/classes directory
2. Add a rule that adds that header to all requests

Note that this is not HSTS-specific: you can do anything you want with url-rewrite.

Answer 4

1. just add this code in jsp under jsp scriptlet tags

   <%
       response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
   %>
   

OR

2. Also can be add to server if JBoss then add below tags in web.xml of application

   <system.webServer>
       <httpProtocol>
           <customHeaders>
               <add name="Strict-Transport-Security" value="max-age=31536000"/>
           </customHeaders>
       </httpProtocol>
   </system.webServer>
   

   for <system.webServer> You have to add xmlnsi other wise it will throw Parsing exception

OR

3. You can do one thing: create a filter in your application and configure that application in web.xml

Answer 5

If you are using/calling any third part urls set below param as well in web.xml of tomcat

<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>

Answer 6

if faizan9689 solution for missing HSTS header checkmarks occurred in JSP file is not resolved, then add the following setHeader with includeSubDomains this will resolve the checkmark.

   <%
    response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
   %>

Answer 7

in web.xml from %TOMCAT_HOME%\conf folder

<!-- ================== Built In Filter Definitions ===================== -->
 
<!-- A filter that sets various security related HTTP Response headers.   -->
<!-- This filter supports the following initialization parameters         -->
<!-- (default values are in square brackets):                             -->
<!--                                                                      -->
<!--   hstsEnabled         Should the HTTP Strict Transport Security      -->
<!--                       (HSTS) header be added to the response? See    -->
<!--                       RFC 6797 for more information on HSTS. [true]  -->
<!--                                                                      -->
<!--   hstsMaxAgeSeconds   The max age value that should be used in the   -->
<!--                       HSTS header. Negative values will be treated   -->
<!--                       as zero. [0]                                   -->
<!--                                                                      -->
<!--   hstsIncludeSubDomains                                              -->
<!--                       Should the includeSubDomains parameter be      -->
<!--                       included in the HSTS header.                   -->
<!--                                                                      -->
<!--   antiClickJackingEnabled                                            -->
<!--                       Should the anti click-jacking header           -->
<!--                       X-Frame-Options be added to every response?    -->
<!--                       [true]                                         -->
<!--                                                                      -->
<!--   antiClickJackingOption                                             -->
<!--                       What value should be used for the header. Must -->
<!--                       be one of DENY, SAMEORIGIN, ALLOW-FROM         -->
<!--                       (case-insensitive). [DENY]                     -->
<!--                                                                      -->
<!--   antiClickJackingUri IF ALLOW-FROM is used, what URI should be      -->
<!--                       allowed? []                                    -->
<!--                                                                      -->
<!--   blockContentTypeSniffingEnabled                                    -->
<!--                       Should the header that blocks content type     -->
<!--                       sniffing be added to every response? [true]    -->
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>