Enable Support for HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) allows websites to force web clients to interact only using HTTPS and helps protect against protocol downgrade attacks.

HSTS Implications

After HSTS is enabled, all HTTP requests from a particular domain name (for example, myweb.server.com) convert to HTTPS requests by the browser.

HSTS will affect all other applications hosted on your domain. Before enabling HSTS, MicroStrategy suggests that your IT or Network team evaluate it.

Enable HSTS

Configuring HSTS varies for each application server, see your vendor documentation for more information. You can use the following links to configure HSTS:

• Tomcat

  • https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Header_Security_Filter

  • https://docs.microfocus.com/SM/9.52/Hybrid/Content/security/concepts/support_of_http_strict_transport_security_protocol.htm

• IIS

  • Use the following custom header solution:

  Copy

  <system.webServer>
      <httpProtocol>
          <customHeaders>
              <add name="Strict-Transport-Security" value="max-age=31536000"/>
          </customHeaders>
      </httpProtocol>
  </system.webServer>

  • https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/

The third-party product(s) discussed in this technical note is manufactured by vendors independent of MicroStrategy. MicroStrategy makes no warranty, express, implied or otherwise, regarding this product, including its performance or reliability.