HTTP Strict Transport Security (HSTS) is a web security policy mechanism, which helps protect web application users against some passive (eavesdropping) and active network attacks. To enable HSTS for Service Manager (web tier, SRC, or Mobility Client), you only need to enable HSTS in the web server (Apache or IIS) or the web application server (Tomcat or WebSphere) so that an HTTP header named Strict-Transport-Security is added when an HTTPS session has already been established.
The following are instructions on how to enable HSTS in the supported web servers and web application servers.
This is supported for Tomcat 8 (8.0.23 and later).
To enable HSTS in Tomcat, follow these steps:
httpHeaderSecurity filter definition and the
<filter-mapping> section, and then add the
hstsMaxAgeSeconds parameter, as shown below.
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
for additional information see