I know that we can enable HSTS in the apache tomcat as there is an option to achieve that. Is there any way that we could configure on top of the Sonatype Nexus Artifact Repository Manager ?
I found a configuration of nexus which is jetty-http.xml, is there any way we can add the HSTS configuration inside this, will it be able to understand the HSTS configuration while running this jetty-http.xml?
Nexus 3 ships the Jetty SecureRequestCustomizer enabled by default, which enables HSTS:
See here for examples of how to customize it:
So this article never really ends up indicating how the user was able to resolve the issue.
I was able to add HSTS to the Nexus SSL Port of my application by adding a rewrite.xml to the list of .xml files that the application was calling for and inside of the rewrite.xml I added the following jetty connectors.
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- configure rewrite handler -->
<!-- =========================================================== -->
<Get id="oldhandler" name="handler"/>
<Set name="handler">
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="handler"><Ref id="oldhandler"/></Set>
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">true</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000; includeSubDomains</Set>
</New>
</Arg>
</Call>
</New>
</Set>
</Configure>
