TIBCO Spotfire® Server and Environment - Installation and Administration

HTTP Strict-Transport-Security (HSTS)

The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797.

It helps to protect against protocol downgrade attacks and cookie hijacking by declaring that user agents, such as web browsers or Spotfire Analyst clients, must interact with the Spotfire Server using secure HTTPS connections.

The feature can be switched on by running the following commands in the <server installation directory>\tomcat\spotfire-bin directory on the command line. (For details on using the Spotfire command line, see Executing commands on the command line.)
config export-config --force
config set-config-prop -n security.hsts.enabled -v true
config import-config -c "Enabled HSTS"
The feature can be switched off by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.enabled -v false
config import-config -c "Disabled HSTS"

When this feature is enabled, the server will include the HTTP header "Strict-Transport-Security: max-age=0" in all responses.

Use the following commands to customize the max-age directive:
config export-config --force
config set-config-prop -n security.hsts.max-age-seconds -v <value>
config import-config -c "Customized HSTS max-age directive"

<value> can be any positive integer value, representing the number of seconds the HSTS policy should remain in effect.

The includeSubDomains directive is by default not included in the HTTP header, but it can be enabled by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.include-sub-domains -v true
config import-config -c "Enabled includeSubDomains directive for HSTS"
The includeSubDomains directive can be excluded from the HTTP header by running the following commands:
config export-config --force
config set-config-prop -n security.hsts.include-sub-domains -v false
config import-config -c "Disabled includeSubDomains directive for HSTS"