Support for HTTP strict transport security (HSTS)

HTTP strict transport security (HSTS) is a mechanism that helps prevent HTTP servers from certain man-in-the-middle attacks. It allows servers to instruct compliant user agents, such as web browsers, to only interact with the server through secure connections (HTTPS).

HSTS is implemented by the server returning a Strict-Transport-Security header in its HTTP responses. This header indicates the period of time that the user agent should only interact securely with the server and whether this behavior extends to any sub-domains.

An example HSTS header is:

Strict-Transport-Security: max-age=86400; includeSubDomains

It instructs the user agent to interact with the server securely for 24 hours (86400 seconds) and extends that behavior to include all sub-domains. For example, if the initial request was to example.com, then future requests to server1.example.com and server2.example.com are to be made securely too.

HSTS is fully described in RFC 6797: HTTP Strict Transport Security (HSTS).

Enabling support for HSTS in CICS

Configure CICS to support HSTS only if all inbound connections are secured and the CICS server is part of a fully secure domain. CICS provides a set of feature toggles for HSTS support.

The feature toggle settings apply to all installed TCPIPSERVICEs that have PROTOCOL(HTTP) and also to the CMCI JVM server.

Note:

The feature toggles do not apply to HTTP requests received by Liberty JVM servers within CICS. See Securing Liberty by using HTTP Strict Transport Security (HSTS) instead.
If a CICS application supplies its own HSTS header using EXEC CICS WEB WRITE HTTPHEADER, that header is used. CICS does not override it.

To configure HSTS at the region level, use the following feature toggles:

com.ibm.cics.web.hsts.max-age=seconds

Activates HSTS for the entire region and sets the max-age time of the HSTS header in seconds (0-99999999). One year is 31536000 seconds.

com.ibm.cics.web.hsts.includesubdomains={true|false}

Takes effect only when the com.ibm.cics.web.hsts.max-age feature toggle is also specified.

It controls whether to extend HSTS to the sub-domains of the CICS server. When true is specified, the includeSubDomains option is added to the HSTS header.

To gain granularity, you can configure HSTS for individual TCPIPSERVICEs to override the region wide settings by using the following feature toggles.

However, the CMCI JVM server can use only the region wide HSTS setting.

com.ibm.cics.web.hsts.max-age.TCPIPS={seconds|-1}

TCPIPS: Specifies the name of an individual TCPIPSERVICE to have a different HSTS setting from the region wide setting.
seconds: Specifies the max-age value for the TCPIPSERVICE in its HSTS header.
-1: Disables HSTS for the specified TCPIPSERVICE.

com.ibm.cics.web.hsts.includesubdomains.TCPIPS={true|false}

Takes effect only when the com.ibm.cics.web.hsts.max-age.TCPIPS feature toggle is also specified.

It controls whether to extend HSTS to the sub-domains of the specified TCPIPSERVICE. When true is specified, the includeSubDomains option is added to the HSTS header of the TCPIPSERVICE specified on TCPIPS.