Configure HTTP Strict Transport Security
2 minute read
HTTP Strict Transport Security (HSTS) is a browser security mechanism, implemented by way of an HTTP
Strict-Transport-Security response header, which allows the connection with a website through secure connections (HTTPS) only.
HSTS enforces security on applications by mitigating attacks such as man-in-the-middle, insecure link referencing, and invalid certificates.
Add an HSTS profile
To create an HSTS to your domain, you must first add an HSTS profile in Policy Studio.
In Policy Studio, click Environment Configuration > Libraries > HSTS Profiles.
Right-click HSTS Profiles, and select Add an HSTS Profile.
Configure the following settings:
- Name: Unique name of the HSTS profile. Defaults to HTTP Strict Transport Security.
- Enable HSTS: Specifies whether HSTS processing is enabled for the profile. Defaults to enabled.
- HSTS Parameters:
- max-age (seconds): Specifies the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains: Applies the new profile to all of the site’s subdomains. Defaults to enabled.
Configure an HSTS profile
The HSTS profile is not configured in SSL interfaces by default. To enable it, for example, for API Gateway, perform the following steps:
- In Policy Studio, click Environment Configuration > Listeners > API Gateway > Default Services > Ports.
- Right-click the HTTPS interface you wish to update, and click Edit.
- Click the Advanced tab, and under HSTS Settings, select the HSTS profile you wish to use to protect all endpoints serviced by this interface.
- Click OK.
After the changes have been deployed, all the responses from the interface will contain the
When you enable HSTS, it takes effect for the entire domain regardless of any other ports configured on the listeners. Any non-SSL ports that exist in the configuration (listeners) will no longer work from the browser after an HSTS-protected interface has been invoked from the browser.
HSTS is made redundant when self-signed certificates are employed.
By default, the following ports use self-signed certificates:
- API Manager UI(8075)
- API Manager traffic (8065)
- API Gateway Manager UI (8090)
- API Gateway Analytics (8040)
- Client Application Registry (8089)