IBM Support

Resolving "missing HSTS" or "missing HTTP Strict Transport Security" on WebSphere

How To


Summary

An IT security scan might report that an HTTPS port related to your WebSphere Application Server deployment is "missing HSTS" or "missing HTTP Strict Transport Security" headers.

Steps

  1. Determine whether your applications and topology are compatible with HTTP Strict Transport Security (HSTS)
    1. Carefully review the Strict Transport Security header and protocol (HSTS)
      In short, HSTS tells browsers to force HTTPS even when accessing non-secure URLS on a given hostname. The HSTS header is cached by the browser over a duration specified in the response header.
    2. Review the hostnames and ports involved in the vulnerability report and determine what applications they represent
    3. Determine whether all of the applications are intended to run exclusively over HTTPS.
      If any applications must continue to use HTTP, you cannot enable HSTS.
    4. Determine the client-facing URLs used by the applications for both HTTP and HTTPS.
      For example, clients can use https://example.com/ to access your application implicitly over 443 or they might instead use an explicit port such as https://example.com:9043/
      Caution: If you use either a non-default HTTP or HTTPS port, HSTS may result in an unreachable website if the HTTP URL is ever used:
      1. If the HTTPS port is non-default, requests to HTTP ports will result in the default port (443) being used instead.
      2. If the HTTP port is non-default, requests to the HTTP port will result in the same port being accessed via HTTPS which will not succeed with IHS nor WAS.
  2. If your applications and topology are compatible with HSTS, configure the Strict-Transport-Security header.
    Note: To satisfy a scanner or pen test, it may be necessary to implement HSTS in multiple places. For example, if the change is made only to IHS but application server is scanned directly, the false positive will need to be perpetually accounted for. Furthermore, some scan results of WAS ports that are not accessed by interactive browsers will also produce a false positive result, since HSTS is not meaningful.
  3. Confirm the HSTS header is present in the HTTPS response
    • Use your browsers developer tools or a command line HTTP client and look for a response header named Strict-Transport-Security.  
    • Access your application once over HTTPS, then access the same application over HTTP. Verify your browser automatically changes the URL to HTTPS over port 443.
  4. Test the affected applications.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z000000bmldAAA","label":"Security-\u003EVulnerabilities"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000CdDCAA0","label":"IHS-\u003ESecurity \/ Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
16 June 2023

UID

ibm16337549