HSTS (RFC6797) HTTP Strict Transport Security 7.x

David H Nebinger
Identity Management & Governance

This app adds the HSTS header (RFC-6797) to https-responses. More information about HSTS (HTTP Strict Transport Security) can be found here:

While it's possible to configure frontend web servers to add this header automatically, this app enables you to conditionally handle anonymous users differently from logged in users: You can configure the timeout for both kinds of users differently, e.g. to totally disable HSTS for anonymous users, while enforcing it for logged in users.

Due to the nature of HSTS, this is browser based: Whenever a user logs on on a specific browser, that browser is forced into https in future, no matter if the user ever logs in again. The assumption is that whatever browser is used to log in to the system, it might be used to log in again. If nobody ever logged in from a certain browser and your site is public, you don't need to force them into https.

If a request is received through https, the header will be sent back. You will need to configure the timeout values in *Control Panel / Portal Settings / General*. The timeout is configured in seconds, i.e. one year (365 days) is equivalent to 31536000 seconds

To deactivate this header, undeploy the plugin (it does nothing but add the header), uncheck the Enabled checkbox in the HSTS configuration or minimize the impact by specifying the max-age as 0.

Note, due to the RFC-6797specification, this can only work properly under the following circumstances:

  • Your server has a properly trusted - not a self-signed - certificate
  • You access your site through https (HSTS does not work on http)
  • You're running on the standard ports, 80 for http and 443 for https, e.g. HSTS would happily rewrite http://localhost:8080 to https://localhost:8080 - and this obviously can't work.

This feature has been suggested in http://issues.liferay.com/browse/LPS-39213. Due to the nature (manipulating HTTPS response headers) there are no meaningful screenshots available for this application. The images you see is the instance configuration panel.

New Features:

  • Fully configurable through Control Panel - no restart required after installation
  • Supports separate anonymous and logged-in HSTS configuration

NOTE: This is a 7.x version of Olaf Kock's original module  - https://marketplace.liferay.com/p/hsts-rfc6797-http-strict-transport-security

Liferay is trademark of Liferay, Inc., Liferay International Limited and/or Liferay Affiliate, registered in the United States and/or other countries.
    All prices displayed are in USD. For pricing specific to your country/currency, please follow the installation instructions below for accessing and purchasing this app through your Control Panel.
    Release Summary and Release Notes
    Version Change Log Supported Framework Versions Date Added
    Liferay DXP 7.3 GA1+
    Liferay CE Portal 7.3 GA1+
    Liferay DXP 7.2 GA1+
    Liferay CE Portal 7.2 GA1+
    Liferay DXP 7.1 GA1+
    Liferay CE Portal 7.1 GA1+
    David H Nebinger
    Published Date
    November 24, 2020
    Supported Versions
    7.3, 7.2, 7.1
    EE, CE
    Help & Support
    Terms & Conditions

    Installation Instructions

    This is a Legacy App that is no longer available in the new App Marketplace. You are able to acquire it from your installed DXP or CE instance and install it by following the instructions below.

    Acquiring this App through the legacy Liferay Portal Store

    1. Review app documentation for any specific installation instructions.
    2. Login to your Liferay Portal instance with administrative permissions.
    3. Navigate to the Control Panel, Marketplace (or Apps for 7.3 and prior), then Store.
    4. If needed, login to your Liferay.com account by choosing Sign In.
    5. Search for the app name in the Search dialog.
    6. Once the app is found, click on the app in the search results.
    7. On the app details page, choose to acquire the app by selecting the Free, Buy, or Trial button.
    8. Follow the instructions on the screen to complete the acquisition.

    Installing this App through legacy Liferay Portal Purchased Apps

    1. After acquiring the app, login to your Liferay Portal instance with administrative permissions.
    2. Navigate to the Control Panel, Marketplace (or Apps for 7.3 and prior), then Purchased.
    3. If needed, login to your Liferay.com account by choosing Sign In.
    4. Click the Install button to install your app on your Liferay Portal instance.

    See the legacy App Marketplace help documentation for more information.