HTTP Strict-Transport-Security Header in Liferay
written-by
Madhusudan Sharma
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
legacy-article
learn-legacy-article-disclaimer-text
Issue
- Is HTTP Strict-Transport-Security Header enabled in Liferay?
Resolution
- Liferay enables HTTP security headers such as 'http.header.secure.x.content.type.options', 'http.header.secure.x.xss.protection', 'http.header.secure.x.content.type.options' by default.
- The HTTP Strict-Transport-Security Header is not enabled in Liferay as the required configuration should be performed on an Application Server like Tomcat or the WebServer like Apache.
- However, there is a feature request for enabling the HSTS Header at Liferay's end. Please refer to the LPS-39213 and can vote on the LPS, so that if the feature is implemented you will come to know.
did-this-article-resolve-your-issue