4

Is there an implementation for using the Strict-Transport-Security header to WebLogic? I figure it would be using something in web.xml under <security-constraint>

I know how to do this for an Apache based server, but I am unsure on adding it in for WebLogic.

Please note, with this instance I am unable to use Apache in front of WebLogic.

Vnge
  • 185
  • 3
  • 12

2 Answers2

1

There is no any specific configuration for HSTS (HTTP Strict Transport Security ) on weblogic.

However, the installation can be configured to work on HTTPS protocol.

You can set 'transport-guarantee' to CONFIDENTIAL or INTEGRAL in web.xml. With that set, WebLogic Server will automatically redirect a client to the HTTPS port if the original request was over HTTP.

An example of the web.xml file entry is as follows:

<security-constraint> <user-data-constraint> <description>USE SSL</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Man-I-n-MiddLeWare
  • 64
  • 4
  • 1
    This does not answer the question. Although Weblogic may not include some specific configuration for sure can add custom headers (what HSTS is). Redirecting to HTTPS is not what HSTS accomplishes. – Eloy Roldán Paredes Feb 23 '16 at 18:55
1

I would probably put Nginx in front of Weblogic as a reverse proxy, and use that to do the whole HTTPS thing, including HSTS.

Then all you have to do is add the following configuration to the Nginx configuration

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Nginx documentation for HSTS

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148