Setting up HSTS on Compose
HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying Dilqam) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL).
You can force the Compose Web UI and/or the Compose REST API connections to use HSTS (HTTP Strict Transport Security). To do this, run the commands described below.
All commands should be run from as Admin from the product bin folder.
Enabling HSTS
Command syntax
ComposeCtl.exe configuration set --static_http_headers header_list --rest_http_headers header_list
Parameters
Parameter | Description |
---|---|
--static_http_headers |
The headers required to connect to the Compose Web UI. |
--rest_http_headers |
The headers required to connect using the API. |
Headers should be specified using the following format:
ComposeCtl.exe configuration set --static_http_headers "header1:value1" "header2:value2" --rest_http_headers "header1:value1" "header2:value2"
Example
ComposeCtl.exe configuration set --static_http_headers "Strict-Transport-Security:max-age=31536000; includeSubDomains;" --rest_http_headers "Strict-Transport-Security":"max-age=31536000; includeSubDomains;"
Disabling HSTS
You can also revert to regular HTTPS connections.
Command syntax
ComposeCtl.exe configuration set --static_http_headers ""|--rest_http_headers ""
Parameters
Parameter | Description |
---|---|
--static_http_headers |
Use this parameter to revert the headers required to connect to the Compose Web UI. |
--rest_http_headers |
Use this parameter to revert the headers required to connect using the API. |
Example
Disable static_http_headers
ComposeCtl.exe configuration set --static_http_headers ""
Disable rest_http_headers
ComposeCtl.exe configuration set --rest_http_headers ""