Enabling HTTP Strict-Transport-Security response header in Apache Tomcat 8.5

Installing Arbortext Publishing Engine > Arbortext Publishing Engine Installation > Security > Enabling HTTP Strict-Transport-Security response header in Apache Tomcat 8.5

HTTP Strict-Transport-Security response header helps in preventing users connecting to application over unencrypted connections. To enable secure HTTP Header in Apache Tomcat, follow these steps:

1. Open <Tomcat install directory>\conf\web.xml in a text editor.

2. Insert the following initialization parameters into the httpHeaderSecurity filter after the async-supported parameter. Ensure that the httpHeaderSecurity filter is uncommented as given in section Enabling Secure HTTP Header in Apache Tomcat.

<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>

3. Save web.xml.