Hello everyone,
This is my first SAP blog post and I noticed there aren't much information on the implementation of HSTS(HTTP Strict Transport Security) with SAP web dispatcher.
I believe this blog post will help you in understanding how to implement HSTS in SAP web dispatcher.
More information about HSTS can be viewed in the wiki page :
HSTS
Implementation:
HSTS can be configured either in web dispatcher or in backend servers (ICM) provided that the backend release level supports it. If not the easier way to do this by allowing the header to be modified in the web dispatcher level.
Minimum patch/Kernel level is mentioned in SAP note
2042819.
Prerequisites to HSTS:
- SSL/TLS is implemented in the environment.
- Valid security certificates are installed for the systems.
Procedure:
HSTS is all about embedding the security header in the URL and specifying the expire time for which the browser(client) will not need confirmation from the server repeatedly for converting HTTP to HTTPS avoiding the man-in-the-middle attack (MITM).
After SSL is implemented in SAP portal the url - developer info is as below without any security headers.
As you can see the response header does not contain 'Strict Transport Security'.
The below parameters are added to the web dispatcher $(DIR_PROFILE)\icm_filter.txt file.
if %{HTTP_HOST} regimatch <host>*
SetResponseHeader Strict-Transport-Security "max-age=<age in sec>; includeSubDomains"
where <host> is the web dispatcher or ICM host and 'max-age' is the age in sec till which the client(browser) will not request the server for security header info. This is usually kept 31556952 seconds (1 year).
'include SubDomains' will make sure the url subdomains will also have the HSTS tag embedded in it.
else create a redirect to HTTPS rule like the below and then add the parameter:
if %{SERVER_PROTOCOL} !stricmp "https"
RegIRedirectUrl /(.*)
https://<host>:<https_port>/$1
Once this is done save the file and restart the web dispatcher. Access the url and open developer info and in the security header the below HSTS header is set for all sub-pages and will not expire till the 'max-age' time set.
Also refer the Best practices for SAP WD for more secure configurations :
SAP webdisp best practices. Refer
SAP blog for more details on HSTS.
Viewing/clearing HSTS in Chrome:
In Google Chrome the HSTS configurations can be viewed under
chrome://net-internals/#hsts > Domain Security Policy
To check if HSTS info is saved in the browser(client) insert the domain name and query the same.
To clear the HSTS info temporarily in chrome the same page has options for the same.
Please do let me know your feedback ?.