4.2.3 Ensure HSTS (HTTP Strict Transport Security) is enabled

Information

The HSTS response header informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

Enabling HSTS helps mitigate passive eavesdropper and active man-in-the-middle (MITM) attacks.

Solution

Set the addstricttransportsecurityheader attribute in the webContainer element in the ${server.config.dir}/configDropins/overrides/*.xml as follows:

<webContainer addstricttransportsecurityheader="max-age=31536000;includeSubDomains" />

See Also

https://workbench.cisecurity.org/benchmarks/7724

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: df192018add4f933b39bd21b52f3ce87f280ef59d2d933fab1929c88246bcfaa