Configuring HSTS for Martini Server Runtime

Overview

In addition to enabling SSL, you can configure Martini to use HTTP Strict Transport Security (HSTS) to enhance security and protect against downgrade attacks. HSTS is a web security policy mechanism that helps prevent man-in-the-middle attacks by enforcing secure (HTTPS) connections to the server.

Configuring HSTS

When HSTS is enabled, Martini injects a header field named Strict-Transport-Security into your server's responses. Once a user agent (e.g., a web browser) receives a response with this header, all subsequent requests to your site will automatically be converted from HTTP to HTTPS, ensuring that all communications are secure.

Enabling HSTS

To enable HSTS, configure the following instance properties in your override.properties file:

hsts.enabled=true
hsts.include-subdomains=false
hsts.preload=false
hsts.max-age=31536000

Property Descriptions

• hsts.enabled: Set this property to true to enable HSTS and allow Martini to inject the Strict-Transport-Security header into responses.

• hsts.include-subdomains: Set to true if all current and future subdomains will also use HTTPS. This ensures that HSTS applies across all subdomains of your site.

• hsts.preload: Set to true if you would like your domain to be included in the HSTS preload list maintained by major browsers like Chrome, Firefox, and Safari. Being included in this list means that browsers will automatically enforce HTTPS for your site, even before the first visit.

• hsts.max-age: This specifies the maximum duration (in seconds) that browsers should enforce HTTPS for your site. For example, setting this to 31536000 means that HTTPS will be enforced for one year.