CA API Management: Add Strict Transport Security (HSTS) to a gateway response

Document ID : KB000017167
Last Modified Date : 26/07/2018
Show Technical Document Details

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol.


How can I add HSTS to a gateway responses?


This can be achieved by adding manage Transport Properties/ Headers assertion to your policy.

1. Add Manage Transport Properties/ Headers assertion to your policy.
2. Right click on the Manage Transport Properties/ Headers assertion and choose 'Select Target Message', set this to the RESPONSE object
3. In the Transport Properties/ Header Properties set the type to: HTTP Header
4. Set the operation: to add or replace
5. Set the name to: Strict-Transport-Security
6. Set the value as: max-age=86400; includeSubDomains; preload



Additional Information:

Below is the sample output

HTTP/1.1 200 OK 
Server: Apache-Coyote/1.1 
Strict-Transport-Security: max-age=86400; includeSubDomains; preload;
Content-Type: text/plain;charset=UTF-8 
Content-Length: 4 
Date: Tue, 14 Nov 2017 10:49:28 GMT 
X-RBT-Optimized-By: INHYRB04 (RiOS 9.6.0a) SC 


Additionally you can add this to a global fragment as well.