Is there an implementation for using the Strict-Transport-Security header to WebLogic? I figure it would be using something in web.xml under <security-constraint>
I know how to do this for an Apache based server, but I am unsure on adding it in for WebLogic.
Please note, with this instance I am unable to use Apache in front of WebLogic.
There is no any specific configuration for HSTS (HTTP Strict Transport Security ) on weblogic.
However, the installation can be configured to work on HTTPS protocol.
You can set 'transport-guarantee' to CONFIDENTIAL or INTEGRAL in web.xml. With that set, WebLogic Server will automatically redirect a client to the HTTPS port if the original request was over HTTP.
An example of the web.xml file entry is as follows:
<security-constraint>
<user-data-constraint>
<description>USE SSL</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I would probably put Nginx in front of Weblogic as a reverse proxy, and use that to do the whole HTTPS thing, including HSTS.
Then all you have to do is add the following configuration to the Nginx configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
