HCL Commerce Version 9.1.2.0 or later

Enabling the Strict-Transport-Security header

Configuring the Strict-Transport-Security header strengthens your site's defense against man-in-the-middle (MITM) attacks. This header instructs browsers to enforce secure connections by automatically upgrading all HTTP access attempts to HTTPS and preventing the site from loading over unencrypted protocols.

About this task

Use these instructions to set your servers to allow browsers access via HTTPS, but not HTTP.

For more information about this header, please see the Mozilla.org documentation page.

The following are possible values for your Strict-Transport-Security header:
max-age=<expire-time>
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains (Optional)
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
preload (Optional)
See Preloading Strict Transport Security for details. Not part of the specification.

Procedure

  • The Transaction Server’s HttpSecurityFilter class adds Strict-Transport-Security header to the response based on the configuration specified in the foundation wc-component.xml. It is enabled by default for the following REST-Transaction WAR by default as follows: 
    <_config:configgrouping name="HttpSecuritySettings_Rest-Transaction">
<!-- Set the value of Strict-Transport-Security. Empty value will disable this header. Default value of 31536000 seconds is 1 year. -->
<_config:property name="Strict-Transport-SecurityHeader" value="max-age=31536000; includeSubDomains"/>		
</_config:configgrouping>
    HCL Commerce Version 9.1.17.0 or laterNote: Strict-Transport-Security header for the Rest module is enabled.
    <!-- Strict-Transport-SecurityHeader enabled in 9.1.17 release -->
<_config:configgrouping name="HttpSecuritySettings_Rest">
  <_config:property name="Strict-Transport-SecurityHeader" value="max-age=31536000; includeSubDomains"/>
</_config:configgrouping>
  • To customize the Strict-Transport-Security header value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).