Enable HSTS in CAS Web application

Question

I have a CAS (Central Authentication Service) integrated web application. The default implementation of CAS webapp login (/cas/login) is not enforced with HSTS policy (Strict-Transport-Security). Except a custom authentication handler everything else is the default implementation being used in the project. So the question that i have is where to set the HSTS header in the response.

Please do help me in this regard. Thanks :)

score 0 · Answer 1 · answered Feb 20 '17 at 18:13

0

You don't mention what version CAS [which is something very useful], but in general HSTS is supported by CAS automatically provided you turn on settings that allow it to do so. Post back your version and I'll provide a link to the docs.

The job is handled via https://github.com/apereo/cas-server-security-filter internally.

answered Feb 20 '17 at 18:13

Misagh Moayyed

4,154
2
15
25

My CAS version is 4.2.x. As per documentation when i went through, cas.properties has appropriate settings for the same and the same is working fine. Thanks for the response :) – Shyam Jun 20 '17 at 05:40

Enable HSTS in CAS Web application

1 Answers1