Enable HTTP Strict-Transport-Security
HTTP Strict-Transport-Security (HSTS) is a web security policy that forces browsers to make secure HTTPS connections to specified web applications. HSTS can protect websites against passive eavesdropper and active man-in-the-middle attacks.
IDM provides an HSTS configuration but it is disabled by default. To enable HSTS, locate the following excerpt in your conf/jetty.xml
file:
<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> ... <Call name="addCustomizer"> <Arg> <New class="org.eclipse.jetty.server.SecureRequestCustomizer"> <!-- Enable SNI Host Check when true --> <Arg name="sniHostCheck" type="boolean">true</Arg> <!-- Enable Strict-Transport-Security header and define max-age when >= 0 seconds --> <Arg name="stsMaxAgeSeconds" type="long">-1</Arg> <!-- If enabled, add includeSubDomains to Strict-Transport-Security header when true --> <Arg name="stsIncludeSubdomains" type="boolean">false</Arg> </New> </Arg> </Call> ...
Set the following arguments:
stsMaxAgeSeconds
This parameter sets the length of time, in seconds, that the browser should remember that a site can only be accessed using HTTPS.
For example, the following setting applies the HSTS policy and remains in effect for an hour:
<Arg name="stsMaxAgeSeconds" type="long">3600</Arg>
stsMaxAgeSeconds
If this parameter is
true>
, the HSTS policy is applied to the domain of the issuing host as well as its subdomains:<Arg name="stsIncludeSubdomains" type="boolean">true</Arg>
For more information about HSTS, read this article.