System Configuration

Enabling HTTP Strict Transport Security (HSTS)

Overview

To enable HTTP Strict Transport Security (HSTS):

    1. Stop Cascade CMS.
    2. Edit the file tomcat/conf/web.xml.
    3. Add the following just before the closing </web-app> tag: 

      <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
      <param-name>hstsEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>31536000</param-value>
    </init-param>
    <init-param>
      <param-name>hstsIncludeSubDomains</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
    4. Save the file
    5. Start Cascade CMS

See the official Apache Tomcat documentation for additional information. 

Tip: Be sure to document any changes you make to the web.xml file so that you can put them back in place after any future upgrades to the application.
Back to Top ↑