IBM Support

HSTS support

News


Abstract

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks and cookie hijacking.

Content

What is it?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks and cookie hijacking by instructing browsers that the server should only be accessible over HTTPS.

Note that the Strict-Transport-Security header is ignored by the browser if the application is initially accessed over HTTP. This is because an attacker may intercept HTTP connections and inject the header or remove it. When applications are accessed using HTTPS with no certificate errors, the browser knows that your server is HTTPS capable and will honor the Strict-Transport-Security header.

You can enable HSTS in the integrated web services server or integrate application server by navigating to the HSTS tab as follows: Server Properties -> Security, then selecting the HSTS tab as shown in the following figure:
image 12741
  • Enable HSTS: Specifies whether to enable or disable HSTS.
  • HSTS security header: Specifies the value for the header. The default policy for the Strict-Transport-Security HTTP header is set for one year (3600x24x365 seconds) with all of the subdomains included.
 

Why use it?

In order to protect users, you can specify HTTP Strict Transport Security (HSTS) in response headers so that your server advertises to clients (e.g. browsers) that it accepts only HTTPS requests.
 

Availability

The support is enabled in the following HTTP group PTFs and PTFs:

V7R3M0 SF99722 Level 40
V7R4M0 SF99662 Level 21
V7R5M0 SF99952 Level 3

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"HW1A1","label":"IBM Power Systems"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
16 August 2022

UID

ibm16612963