Note: This app is for Liferay 6.x and I won't port it to 7.x. By now, I feel that unconditional HTTPS is the standard and it's not worth worrying about conditionally allowing unencrypted
http . David Nebinger didn't think so and released a 7.x port of this app separately at
http s://web.liferay.com/marketplace/-/mp/application/178582958 - if you don't agree with my assertion and need this on 7.x, please go there. Otherwise just add something like the following line to your reverse proxy (here: Apache
http d):
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
This app adds the HSTS header (RFC-6797) to
http s-responses *for Liferay 6.x*. More information about HSTS (HTTP Strict Transport Security) can be found here:
*
http s://tools.ietf.org/html/rfc6797
*
http ://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
*
http s://www.owasp.org/index.php/HTTP_Strict_Transport_Security
While it's possible to configure frontend webservers to add this header automatically, this app enables you to conditionally handle anonymous users differently from logged in users: You can configure the timeout for both kinds of users differently, e.g. to totally disable HSTS for anonymous users, while enforcing it for logged in users.
Due to the nature of HSTS, this is browser based: Whenever a user logs on on a specific browser, that browser is forced into
http s in future, no matter if the user ever logs in again. The assumption is that whatever browser is used to log in to the system, it might be used to log in again. If nobody ever logged in from a certain browser and your site is public, you don't need to force them into
http s.
If a request is received through
http s, the header will be sent back. You will need to configure the timeout values in *Control Panel / Portal Settings / General*. The timeout is configured in seconds, i.e. one year (365 days) is equivalent to 31536000 seconds
To deactivate this header, undeploy the plugin (it does nothing but add the header) or just minimize the impact by specifying the max-age as 0
Note, due to the RFC-6797 specification, this can only work properly under the following circumstances:
* Your server has a properly trusted - not a self-signed - certificate
* You access your site through
http s (HSTS does not work on
http )
* You're running on the standard ports, 80 for
http and 443 for
http s, e.g. HSTS would happily rewrite
http ://localhost:8080 to
http s://localhost:8080 - and this obviously can't work.
This feature has been suggested in
http s://issues.liferay.com/browse/LPS-39213. Due to the nature (manipulating HTTPS response headers) there are no meaningful screenshots available for this application. The images you see are: The Response-Header Inspection of Firebug and the portal-ext.properties configuration that you need to override the default (safe) value of 30 seconds, so that the header is valid for a year.
New Features:
* Fully configurable through Control Panel - no restart required after installation
* Supports separate anonymous and logged-in HSTS configuration
* Security Manager enabled
* 6.x only - see start of this description for 7.x information