Product: TIBCO Spotfire®
How to include preload-directive when using HTTP Strict-Transport-Security (HSTS) in TIBCO Spotfire server
The preload directive is by default not included when using HSTS.
We can make it possible to include the preload directive when using HSTS, so that the domain can be included in Chrome's HSTS preload list.
What is HSTS Preloading:
HSTS Preloading is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser. This list is compiled by Google and is utilized by Chrome, Firefox, and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy, instead, the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place. This removes the opportunity an attacker has to intercept and tamper with redirects that take place over HTTP. This isn't to say that the host needs to stop issuing the HSTS response header, this must be left in place for those browsers that don't use preloaded HSTS lists.
https://scotthelme.co.uk/hsts-preloading/ The preload directive can be included by following below steps:
Note: Make sure that HSTS is enabled before performing the below steps.
- On the Spotfire server machine, open the command prompt with "Run as Administrator" and browse to the path <installation_dir>/tomcat/bin directory (For Spotfire server version 7.10 till 10.2) OR <installation_dir>/tomcat/spotfire-bin directory (For Spotfire server version 10.3 and above) depending upon your Spotfire server version.
- Export the latest Spotfire server configuration using the below command:
> config export-config --force
- Now, run the below command to include preload directive.
> config set-config-prop -n security.hsts.include-preload -v true
- Once successfully set the above preload directive, you need to import the Spotfire server configuration to the database using the below command:
> config import-config -c "Included preload directive for HSTS"
- After successfully importing the configuration, restart the Spotfire server service
- Refer below Spotfire server manual link to know more about HTTP Strict-Transport-Security (HSTS