Enable HSTS and Supported Ciphers

Document ID : KB000100802
Last Modified Date : 18/06/2018
Show Technical Document Details
Question:
As part of security compliance, we have been asked the following on the CA API Gateway:

1. Enable HSTS (with max-age=31536000) on application and host
2. Ensure application supports AES-SHA ciphers.

Could you please provide guidance on how to enable HSTS and ensure AES-SHA ciphers are supported?
Answer:
-------------------------------------
1. Enable HSTS (with max-age=31536000) on application and host
-------------------------------------
HSTS can be enabled by adding manage Transport Properties/ Headers assertion to your policy. Can you please try the following:

1. In the Transport Properties/ Header Properties set the type to HTTP 
2. In the Transport Properties/ Header Properties change the operation to add or replace 
3. In the Transport Properties/ Header Properties the Property/Header name should be set to Strict-Transport-Security 
4. In the Transport Properties/ Header Properties value set the value as max-age=31536000; includeSubDomains; preload 


-------------------------------------
2. Ensure application supports AES-SHA ciphers.
-------------------------------------
The following KB article that outlines supported ciphers for the API Gateway to be TLS 1.2 compliant.

TLS 1.2 Compliant