Support of the HTTP Strict Transport Security (HSTS) within AccuRev Tomcat



HTTP Strict Transport Security (HSTS) is a web security policy mechanism, which helps protect web application users against some passive (eavesdropping) and active network attacks. To enable HSTS for Service Manager (web tier, SRC, or Mobility Client), you only need to enable HSTS in the web server (Apache or IIS) or the web application server (Tomcat or WebSphere) so that an HTTP header named Strict-Transport-Security is added when an HTTPS session has already been established.



  • If you are using a web server in front of your web application server, you only need to enable HSTS in the web server; otherwise, you need to enable HSTS in the web application server. However, be aware that if you are using WebSphere, you must configure an IBM HTTP Server in front of WebSphere and enable HSTS in the IBM HTTP Server.
  • HSTS works only for ports 80 and 443. Make sure your web server or web application server is configured to use port 80 for HTTP and port 443 for HTTPS.
  • To use HSTS, be sure to enable the secureLogin parameter in the Service Manager web tier, SRC, and Mobility Client and configure SSL between the web application server and browser.

The following are instructions on how to enable HSTS in the supported web servers and web application servers.

How to enable HSTS in Tomcat



This is supported for Tomcat 8 (8.0.23 and later).

To enable HSTS in Tomcat, follow these steps:

  1. Open the <Tomcat>/conf/web.xml file in a text editor.
  2. Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, and then add the hstsMaxAgeSeconds parameter, as shown below.

  3. Save the file.
  4. Restart Tomcat.

for additional information see

Comment List