If you got HSTS Missing From HTTPS Server (RFC 6797) vulnerability on one of your HTTP servers. It means that for particular website HTTPS isn't exclusively required and the connection may be redirected to insecure HTTP without the visitor knowing.
To enforce HSTS on your HTTP server you have to this line into web configuration :
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age - is in seconds
IncludeSubDomains - is recommended if all present and future subdomains will be HTTPS.
On HTTPA you can run Application Server or HTTP server. There is a different configuration file for each of them.
For HTTP server you can edit configuration file easily in HTTPA interface :
For Applicatin server you have to find path to configuration file first and then change it in editor. It is recommended to make a backup of the configuration files first :
Here you can see beginning of configuration file for Navigator with HSTS on.
<?xml version="1.0" encoding="UTF-8"?>
<server description="admin1">
<webContainer deferServletLoad="false" setContentLengthOnClose="false" extractHostHeaderPort="true" trustHostHeaderPort="true" addstricttransportsecurityheader="max-age=31536000;includeSubDomains" disableXPoweredBy="true"/>
<applicationManager autoExpand="true"/>
...
..
.
It is of course possible to check HSTS settings in a web browser:
But you can do it more easily using the curl command :
curl -ksSI -u user_name:user_password https://ibmserver:2010/
and you will get something like this :
HTTP/1.1 302 Found
Date: Fri, 02 Aug 2024 07:42:49 GMT
Server: Apache
Strict-Transport-Security: max-age=63072000;includeSubDomains
Location: https://ibms2a:2010/HTTPAdmin
Connection: close
Content-Type: text/html; charset=UTF-8
Keep in mind, however, that a redirection can be set for the given website, such as in the case of HTTPA, and the analyzer (e.g. Nessus) may have a problem with it.
In my case this change in configuration file was helpfull :ยจ
<VirtualHost *:2010>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ADMIN3
SSLProtocolDisable SSLv3 TLSv1 TLSv1.1
Header always set Strict-Transport-Security "max-age=63072000"
RewriteEngine On
RewriteOptions Inherit
RewriteRule ^/$ %{HTTP_HOST} [C]
RewriteRule ^(.*):2010$ https://$1:2010/HTTPAdmin [R,L]
# RewriteRule ^/ibm/console/?$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2005/ibm/console [R,L]
# RewriteRule ^/ibm/console/.*$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2005/ibm/console [R,L]
# RewriteRule ^/webnav/WnServlet$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2005/ibm/console/xLaunch.do?pageID=com.ibm.i5OS.webnav.navigationElement.WebnavBasePortlet&%{QUERY_STRING} [R,L]
# RewriteRule ^/iamobile/?$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2012/iamobile/iWAHome [R,L]
# RewriteRule ^/iamobile/(.*)$ %{HTTP_HOST}/iamobile/$1 [C]
# RewriteRule ^(.*):2010/iamobile/(.*)$ https://$1:2012/iamobile/$2 [R,L]
# RewriteRule ^/IDSWebApp/?$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2005/IDSWebApp/ [R,L]
# RewriteRule ^/IDSWebApp/(.*)$ %{HTTP_HOST}/IDSWebApp/$1 [C]
# RewriteRule ^(.*):2010/IDSWebApp/(.*)$ https://$1:2005/IDSWebApp/$2 [R,L]
# RewriteRule ^/db2mirror/?$ %{HTTP_HOST} [C]
# RewriteRule ^(.*):2010$ https://$1:2007/Db2Mirror [R,L]
RewriteRule ^/dcm/?$ %{HTTP_HOST} [C]
RewriteRule ^(.*):2010$ https://$1:2007/dcm/ [R,L]
RewriteRule ^/dcm/(.*)$ %{HTTP_HOST}/dcm/$1 [C]
RewriteRule ^(.*):2010/dcm/(.*)$ https://$1:2007/dcm/$2 [R,L]
RewriteRule ^/Navigator/?$ %{HTTP_HOST} [C]
RewriteRule ^(.*):2010$ https://$1:2003/Navigator/ [R,L]
RewriteRule ^/Navigator/(.*)$ %{HTTP_HOST}/Navigator/$1 [C]
RewriteRule ^(.*):2010/Navigator/(.*)$ https://$1:2003/Navigator/$2 [R,L]
</VirtualHost>