HTTP Strict-Transport-Security (HSTS)
The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797.
It helps to protect against protocol downgrade attacks and cookie hijacking by declaring that user agents, such as web browsers or Spotfire Analyst clients, must interact with the Spotfire Server using secure HTTPS connections.
The feature can be switched on by running the following commands in the
<server installation directory>\tomcat\spotfire-bin directory on the command line. (For details on using the
Spotfire command line, see
Executing commands on the command line.)
config export-config --force
config set-config-prop -n security.hsts.enabled -v true
config import-config -c "Enabled HSTS"
The feature can be switched off by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.enabled -v false
config import-config -c "Disabled HSTS"
When this feature is enabled, the server will include the HTTP header "Strict-Transport-Security: max-age=0" in all responses.
Use the following commands to customize the max-age directive:
config export-config --force
config set-config-prop -n security.hsts.max-age-seconds -v <value>
config import-config -c "Customized HSTS max-age directive"
<value>
can be any positive integer value, representing the number of seconds the HSTS policy should remain in effect.
The
includeSubDomains
directive is by default not included in the HTTP header, but it can be enabled by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.include-sub-domains -v true
config import-config -c "Enabled includeSubDomains directive for HSTS"
The
includeSubDomains
directive can be excluded from the HTTP header by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.include-sub-domains -v false
config import-config -c "Disabled includeSubDomains directive for HSTS"
Parent topic: Optional security HTTP headers