Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > HTTP Strict Transport Security (HSTS)
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

TLS Cipher Configuration

This article describes how to configure SSLTLS cipher specifications in IBM Domino 9.0.1 FP5

HTTP Strict Transport Security (HSTS)

How to configure Domino for HTTP Strict Transport Security

Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode

All support for SSLv2 was removed by the IBMDominoTLS1.0Interim Fixes that added support for TLS 1.0 and TLSFALLBACKSCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2. SSLTLS clients that ...

Installing and Running the Domino keyring tool

This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM NotesDomino installation, but can only be used with SHA2 certiifcates in 9.x, and can only ...

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Community articleHTTP Strict Transport Security (HSTS)
Added by ~Joseph Nimweburings | Edited by ~Joseph Nimweburings on June 15, 2015 | Version 5
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
How to configure Domino for HTTP Strict Transport Security
Tags: http, https, SSL, TLS
The HTTP Strict Transport Securityexternal link (HSTS) HTTP response header can be used by web servers to indicate that web clients should only communicate with them over HTTPS and never over HTTP. This can be used to help prevent web browsers from being tricked into communicating over unencrypted HTTP by attackers, but it will also prevent common practices such as the use of "mixed content" pages where some resources are served over HTTPS and some over HTTP and performing authentication over HTTPS and then downgrading to HTTP.

Starting in Domino 9.0.1 FP3 IF2, when a Domino server is configured for SSL/TLS and the http port is disabled or set to "redirect only" the HSTS header will be sent by with a one week default setting. If the Domino server is not configured for SSL/TLS or the http port is active, the HSTS header will be sent with the max-age parameter set to zero, which disables the HSTS functionality.
  • HTTP_HSTS_MAX_AGE allows the max-age header parameter to be changed, the default setting is 604800 seconds, 1 Week
  • HTTP_HSTS_INCLUDE_SUBDOMAINS=1 indicates the "includeSubDomains" parameter should be added to the "Strict-Transport-Security" http header. This is off by default.
  • HTTP_ENABLE_HSTS=0 can be used to disable HSTS and not send the Strict-Transport-Security header.

In older versions of Domino, Domino administrators can use Internet Site documents to configure the Domino http task to set this header and tell compliant web browsers to only communicate with them over SSL/TLS. This header must only be configured if plaintext http has been disabled or set to "redirect only" and SSL/TLS is enabled.

Sample Web Site Rule adding the "Strict-Transport-Security" header with a maximum age of one year:



If you need to re-enable plaintext HTTP, replace this header's value with max-age=0 in order to tell compliant web browsers to communicate with your web site over HTTP once again.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (5)Jun 15, 2015, 9:42:17 PM~Joseph Nimweburings  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility