Configuring the HTTP Strict Transport Security policy

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks and cookie hijacking.

You can configure the HTTP Strict Transport Security (HSTS) policy by using the following header:
Strict-Transport-Security: max-age=31536000; includeSubdomains;
In this example, the policy is set for one year (3600x24x365 seconds) with all of the subdomains included. When the policy is preinstalled, it enables an application to redirect HTTP to HTTPS.

For more information about HSTS, see HTTP Strict Transport Security. You must choose the parameters for your web server carefully.

The HSTS header can be added for Rule Execution Server and Decision Center web applications by modifying the deployment descriptor /WEB-INF/web.xml.

Adding the HSTS header for the Rule Execution Server web application

  1. Open the web.xml file.
  2. Uncomment the following parameter:
    <init-param>
   <param-name>ilog.rules.res.security.addStrictTransportSecurityHeader</param-name>
   <param-value>max-age=31536000;includeSubDomains</param-value>
</init-param>
  3. Verify the value of the parameters.
  4. Save it and reintegrate it in the web application.

Adding the HSTS header for the Decision Center Business console web application

  1. Open the web.xml file.
  2. Uncomment the following parameter:
    <context-param>
   <description>
   </description>
   <param-name>com.ibm.rules.decisioncenter.security.addStrictTransportSecurityHeader</param-name>
   <param-value>max-age=31536000; includeSubDomains</param-value>
</context-param>
  3. Verify the value of the parameters.
  4. Save it and reintegrate it in the web application.

Adding the HSTS header for the Decision Center Enterprise console web application

  1. Open the web.xml file.
  2. Uncomment the following parameter:
    <context-param>
   <description>
   </description>
   <param-name>com.ibm.rules.decisioncenter.security.addStrictTransportSecurityHeader</param-name>
   <param-value>max-age=31536000; includeSubDomains</param-value>
</context-param>
  3. Verify the value of the parameters.
  4. Save it and reintegrate it in the web application.

Decision Center REST API

For the Decision Center REST API, the HSTS feature is always enabled when HTTPS is used.