Objective

To enforce secure communication by enabling HTTP Strict Transport Security (HSTS), ensuring all connections are made over HTTPS.

Implementation Approach

Step 1: File Location

<Tomcat_Home>/conf/web.xml

Step 2: Add HSTS Filter

Add the following configuration in web.xml:

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>

    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>

    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>

    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Configuration Details

• hstsEnabled = true
  Enables HSTS header
• hstsMaxAgeSeconds = 31536000
  Enforces HTTPS for 1 year
• hstsIncludeSubDomains = true
  Applies policy to all subdomains

Validation

1. Open browser → Press F12
2. Go to Network tab
3. Check Response Headers

Verify:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Note

• Applicable only when application is accessed via HTTPS
• Restart Tomcat after configuration
• Ensure SSL is properly configured before enabling HSTS