How to Enable HTTP Strict Transport Security in Connect
Objective: Meet security requirements that prescribe on-premise Connect servers use HTTP Strict Transport Security (HSTS): https://https.cio.gov/hsts/
Environment: On-premise Connect servers
Steps: There are more than a few ways to implement HSTS:
1. The Connect 9.5 application server:
For the Connect application, uncomment and add the following
parameters to the httpHeaderSecurity filter in the Tomcat web.xml found in appserv/conf:
Also, uncomment the following:
2. SSL acceleration: There may be additional considerations for Connect servers deployed behind hardware-based load-balancing devices that also serve as SSL accelerators.
For example, see this iRule for F5 LTM: https://devcentral.f5.com/articles/implementing-http-strict-transport-security-in-irules
Examine articles related to the specific load-balancing device and SSL accelerator employed.
3. The Adobe Experience Manager (AEM) based Connect Events Module:
An additional means of implementing HSTS for Connect AEM-based Events is through the use of the Dispatcher AEM proxy; version 5.5 for Connect 9.5 Events is available here: https://www.adobeaemcloud.com/content/companies/public/adobe/dispatcher/dispatcher.html
If a dispatcher is present you can use mod_headers to set the header. Strict-Transport-Security: max-age=31536000; includeSubDomains
Additional Information: HSTS forces HTTPS on the second and subsequent requests rather than merely redirecting clients from HTTP to HTTPS.