Setting up HTTP Strict Transport Security (HSTS)
You can specify HTTP Strict Transport Security (HSTS) in response headers so that your server advertises to clients that it accepts only HTTPS requests. You can redirect any non-HTTPS requests to SSL enabled virtual hosts.
Before you begin
- If SSL/TLS is terminated by a device ahead of IBM HTTP Server, and if IBM HTTP Server is not configured for SSL/TLS, the following procedure does not apply. Instead, you must configure HTTP Strict Transport Security on the device that terminated SSL/TLS. For more information about HTTP Strict Transport Security configuration, see RFC 6797 section 7.
- Determine whether your HSTS policy applies to only the domain or includes subdomains.
- Determine whether the domain can be part of the preinstalled list of known HSTS hosts in a client.
- Determine how long the client can cache the information that indicates that the domain is an HSTS host.
- Restriction: The server does not add the HSTS headers to HTTP 304 (not modified) responses. These responses are used to validate cache freshness. A client will not see the HSTS headers until it accesses at least one uncached (or stale) resource on the server.
- HSTS works only if the client is connecting to the default ports for HTTP (port 80) and HTTPS
(port 443). If you are using non-default ports in your IBM HTTP Server configuration, you need to
use an additional front-end device that does use the default ports. Place the additional front-end
device between your IBM HTTP Server and the client. For
example:
client ----> load balancer (ports 80 and 443) ----> IHS (other ports)