Reputation: 21
How to set the strict transport security header for jetty 9.2.25
Am trying to add strict transport security header for my jetty server 9.2.25
I have tried to add the rule to my jetty-config.xml, but it seems not working.
<Get id="oldhandler" name="handler"/>
<Set name="handler">
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="handler">
<Ref id="oldhandler"/>
</Set>
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">false</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000;includeSubDomains</Set>
</New>
</Arg>
</Call>
</New>
</Set>
To check if it is working, I tried to see the curl output, its not displaying the Strict-Transport-Security information. Actually, it should display the below line in the curl output.
Strict-Transport-Security: max-age=31536000; includeSubDomains
root@ip:~#curl -k --head https://ip:443
HTTP/1.1 200 OK
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=157bfeip315gbmb796uh2yq4m;Path=/;Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-store
Content-Length: 8246
Server: Jetty(9.2.25.v20180606)
please let me know if any changes are needed in this config/Any other way to configure the jetty web server for adding HSTS header.
Thanks for your help.
Upvotes: 0
Views: 5553
Answers (1)
Reputation: 600
Did you try this :
<Set name="rules">
<Array type="org.eclipse.jetty.rewrite.handler.Rule">
<Item>
<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000;includeSubDomains</Set>
</New>
</Item>
</Array>
</Set>
Upvotes: 0
Related Questions
- Setting HTTP headers with Jetty
- Jetty HttpClient 9 (9.0.0.M5) SSLContextFactory's TrustAll flag not working?
- Is there a way to force Jetty to only use HTTPS?
- Remove the HTTP Server header in Jetty 9
- How to enable HTTPS in GWT's Jetty?
- Configure SSL on Jetty
- Configuring SSL with Jetty 9
- How to enable HSTS (HTTP Strict Transport Security) in Tomcat + JIRA
- Setting headers using Jetty Websocket Client
- How to override the default Host request header using Jetty HTTP Client v9?