0

Am trying to add strict transport security header for my jetty server 9.2.25

I have tried to add the rule to my jetty-config.xml, but it seems not working.

 <Get id="oldhandler" name="handler"/>
    <Set name="handler">
      <New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
        <Set name="handler">
           <Ref id="oldhandler"/>
        </Set>
        <Set name="rewriteRequestURI">true</Set>
        <Set name="rewritePathInfo">false</Set>
        <Set name="originalPathAttribute">requestedPath</Set>

        <Call name="addRule">
            <Arg>
                <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">/*</Set>
                    <Set name="name">Strict-Transport-Security</Set>
                    <Set name="value">max-age=31536000;includeSubDomains</Set>
                </New>
            </Arg>
        </Call>
      </New>
    </Set>

To check if it is working, I tried to see the curl output, its not displaying the Strict-Transport-Security information. Actually, it should display the below line in the curl output.

Strict-Transport-Security: max-age=31536000; includeSubDomains

root@ip:~#curl -k --head https://ip:443

HTTP/1.1 200 OK

X-Frame-Options: DENY

Content-Type: text/html;charset=UTF-8

Set-Cookie: JSESSIONID=157bfeip315gbmb796uh2yq4m;Path=/;Secure

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

Cache-Control: no-store

Content-Length: 8246

Server: Jetty(9.2.25.v20180606)

please let me know if any changes are needed in this config/Any other way to configure the jetty web server for adding HSTS header.

Thanks for your help.

Suman
  • 21
  • 6
  • Can you perform a jetty server dump (not a memory or heap dump) and report back the details? There's something off, your XML seems OK at face value, so there's a probability that you have the `RewriteHandler` in the wrong place - see https://www.eclipse.org/jetty/documentation/current/jetty-dump-tool.html – Joakim Erdfelt May 09 '19 at 18:14
  • Maybe try `*`. – Lothar Jul 02 '19 at 13:07

1 Answers1

0

Did you try this : 

<Set name="rules">
   <Array type="org.eclipse.jetty.rewrite.handler.Rule">
      <Item>
        <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
        <Set name="pattern">*</Set>
        <Set name="name">Strict-Transport-Security</Set>
        <Set name="value">max-age=31536000;includeSubDomains</Set>
     </New>
      </Item>
   </Array>
</Set>
SPoint
  • 474
  • 2
  • 10