Support Article
Missing HSTS response header for Pega application
SA-39517
Summary
Security issue reported wherein HTTP Strict Transport Security (HSTS) response headers are missing in Pega response.
Error Messages
Not Applicable
Steps to Reproduce
Check for response headers for any PRPC response. Strict-Transport-Security headers are generally missing
Root Cause
Not Applicable
Resolution
Perform the following local-change:
Changes to be made in web.xml are :
<filter>
<filter-name>RequestLoggingFilter</filter-name>
<filter-class>com.pega.pegarules.internal.web.servlet.WebStandardBootFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RequestLoggingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Add compiled class of WebStandardBootFilter.java i.e. WebStandardBootFilter.class in location ‘webapps\prweb\WEB-INF\lib\prbootstrap\com\pega\pegarules\internal\web\servlet’
package com.pega.pegarules.internal.web.servlet;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class WebStandardBootFilter implements Filter {
public void destroy() {
// No-Op
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
((HttpServletResponse) response).addHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains;preload");
chain.doFilter(request, response);
}
public void init(FilterConfig arg0) throws ServletException {
// No-Op
}
}
Published August 17, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.