How can we Enable HSTS(HTTP Strict-Transport-Security) in weblogic server

Rakesh Bhagat picture Rakesh Bhagat · Aug 16, 2016 · Viewed 8.3k times · Source

I want to convert http request to https for my website. I have already taken SSL Certificate but there may be chance of bypass my Application's enabled encryption and after having certificate my application is not able to prevent accessing over unsecure connection

Answer

Slettal picture Slettal · Aug 16, 2016

Unfortunately there is no easy way to enable this in weblogic (easy in form of a simple checkbox).

Your best option is probably to add your own filter to add the HSTS header. Have a look at this answer on how to do that: https://stackoverflow.com/a/30455120/1391209

Here the relevant answer text for easier reference (and in case that answer gets deleted):

You can add it using a filter. Add the following snippet to web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}