Enable HSTS on the web portal


I was looking for a way to enable HSTS (HTTP Strict Transport Security).

I can modify the portal ood-portal.conf.erb and get it working that way but that doesn’t seem like a reliable solution when doing updates to new versions.

Is there a place that I am not seeing where I can enable HSTS and if not can this be add as an option that can be enabled via the ood_portal.yml file?


Since OnDemand doesn’t currently provide a way for arbitrary Apache config items, an alternative to modifying ood-portal.conf.erb would be to set the header globally. If no services being served by that Apache instance ever will require http and can always be https, or the only purpose of this Apache instance is to serve OnDemand, you could try adding a file like /opt/rh/httpd24/root/etc/httpd/conf.d/strict_security_transport.conf with the contents:

Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Meanwhile I’m going to look at a modification ensuring this is set by default in a 1.8 patch release this month (but that would specifically apply to the OnDemand VirtualHost.

Thank you, I like the solution you recommended and it makes it into the 1.8 that would be great.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.