RFC-6797 (HTTP Strict Transport Security) support for Liferay on appserver level
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



This hook adds the HSTS header (RFC-6797) to https-responses. More information about HSTS (HTTP Strict Transport Security) can be found here:

While it's possible to configure frontend webservers to add this header automatically, this app enables you to conditionally handle anonymous users differently from logged in users: You can configure the timeout for both kinds of users differently, e.g. to totally disable HSTS for anonymous users, while enforcing it for logged in users.

Due to the nature of HSTS, this is browser based: Whenever a user logs on on a specific browser, that browser is forced into https in future, no matter if the user ever logs in again. The assumption is that whatever browser is used to log in to the system, it might be used to log in again. If nobody ever logged in from a certain browser and your site is public, you don't need to force them into https.

If a request is received through https, the header will be sent back. You will need to configure the timeout values in Control Panel / Portal Settings / General. The timeout is configured in seconds, i.e. one year (365 days) is equivalent to 31536000 seconds

To deactivate this header, undeploy the plugin (it does nothing but add the header) or just minimize the impact by specifying the timeout as 0.

Note, due to the specification, this can only work properly under the following circumstances:

  • Your server has a properly trusted - not a self-signed - certificate.
  • You access your site through https. (HSTS does not work on http)
  • You're running on the standard ports, 80 for http and 443 for https, e.g. HSTS would happily rewrite http://localhost:8080 to https://localhost:8080 - and this obviously can't work.