IBM Support

PI67099: PROVIDE OPTION TO ADD STS RESPONSE HEADER FOR HTTPS REQUEST

Fixes are available

9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Provide option to add STS response header for HTTPs request
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server v9.0 and Liberty users.              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Ability to set HTTP Strict Transport    *
    *                      Security (HSTS)response header.         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    For an HTTPs request the HSTS header is not sent with the
    response, as a result the browser client will not know to
    send
    subsequent communications over HTTPs only.
    

Problem conclusion

  • The Webcontainer code has been updated to provide an option to
    add the HSTS response header for a HTTPs request.
    
    
    To enable this function the user will need to set a web
    application context-paramater or a server level webcontainer
    custom property.
    
    Use the following param-name to add a context parameter in the
    web.xml for the application, the param-value provided here is
    an example
      <context-param>
    
    <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param
    -name>
         <param-value>max-age=31536000; includeSubDomains;
    preload</param-value>
      </context-param>
    
    
    
    or Alternatively add the server level custom property by using
    the following property name , the value provided is an example
    
    com.ibm.ws.webcontainer.addStrictTransportSecurityHeader="max-ag
    e=31536000; includeSubDomains"
    
    
    
    For Liberty users, the server level custom property needs to
    be added in server.xml , and the property full or short name
    can be used,
    
    i.e.
    "com.ibm.ws.webcontainer.addStrictTransportSecurityHeader" or
    "addstricttransportsecurityheader"
    
    the value provided below is an example
    
    <webContainer
    addstricttransportsecurityheader="max-age=31536000;
    includeSubDomains" />
    
    
    Note: If both the web application context-param and the server
    level custom property are provided, the context-param value
    will take precedence over the server level value for that web
    application.
    
    If the server level custom property is set but the user needs
    to remove or unset the property for a web application , then
    add the following param-value to the context-param.
    
      <context-param>
    
    <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param
    -name>
         <param-value>max-age=-1</param-value>
      </context-param>
    
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.18, 9.0.0.2 and  Liberty 16.0.0.4
    
    
    
    
    
    
    Please refer to the recommended updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI67099

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-08

  • Closed date

    2016-10-04

  • Last modified date

    2020-05-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
16 October 2021