How to enable and configure HTTP Strict Transport Security (HSTS) response header on Confluence

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

According to HTTP Strict Transport Security (HSTS) RFC (RFC 6797), HSTS is a mechanism for websites to tell browsers that they should only be accessible over secure connections (HTTPS).
This is declared through the Strict-Transport-Security HTTP response header. To enable it, you need to either configure a reverse proxy (or load balancer) to send the HSTS response header, or to configure it in Tomcat.

If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache, you may use the mod_headers module to set response headers.

If you would like to configure it directly on Tomcat, refer to the steps below.

Solution

  1. Edit the <Confluence Install folder>/conf/web.xml file
  2. Search for the following filter definition:

    <!--
        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <async-supported>true</async-supported>
        </filter>
    -->
  3. Uncomment the block above to enable it. To know more about this filter check the Tomcat documentation

  4. You can customize the filter by adding parameters as follows:

        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<async-supported>true</async-supported>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param> 
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>31536000</param-value>
            </init-param>
            <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
            </init-param>
        </filter>
  5.  (warning) Ensure to set the antiClickJackingOption parameter using the value SAMEORIGIN, otherwise, pages that contain iFrame can stop working after enabling HSTS.
  6. (warning) Ensure the <async-supported> line is always above the <init-param> ones as shown in the example above. Otherwise, you may hit XML validation errors if that is enabled directly on the context or by the system property STRICT_SERVLET_COMPLIANCE

  7. Next, search for this block:

      <!-- The mapping for the HTTP header security Filter -->
    <!--
        <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
    -->
  8. Uncomment the mapping above and save the file

  9. Restart Confluence so the modifications are applied
    (warning) If you are running Data Center, then make sure to apply the same steps on all nodes of the cluster.

See Also

HTTP Strict Transport Security on Wikipedia

HTTP Strict Transport Security on IETF

Strict-Transport-Security on MDN

HTTP Header Security Filter on Apache Tomcat 9 Configuration Reference



Last modified on Jul 19, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.