Platforms

Unix, Windows


Abstract

Long integer value which sets the maximum age limit (in seconds) for the HTTPS Strict-Transport-Security header.


Example

z/VM:

<not available>

Unix:

WWW_HSTS_MAX_AGE=31536000

export WWW_HSTS_MAX_AGE

Windows:

WWW_HSTS_MAX_AGE=31536000


Details

When set to a non-zero value, causes WA to output the header "Strict-Transport-Security: max-age=x", where "x" is the non-zero variable setting representing the number of seconds the STS header will persist in a user's cache (unless the user clears their cache before that time).  The value 31536000 shown in the example represents 365 days or one year.

This is intended primarily to address DHS directive BOD 18-01, but will enhance security for any LISTSERV site which uses the HTTPS protocol in the LISTSERV web interface.

Note:  It is important to note that WA functions named DEBUG-* (e.g., DEBUG-SHOW-VERSION) do not load the configuration file, and therefore will not output the Strict-Transport-Security: header.


Also note that if you already have the webserver configured for HSTS, the webserver HSTS value will preferentially override the setting provided by WA.  The LISTSERV setting is provided for situations where the entire website is not already configured for HSTS but it is desired to use HSTS with LISTSERV.


With HSTS enabled site-wide in IIS, you may find that:


    • The "archives" directory no longer works correctly if it is implemented as an IIS virtual directory


    • Some images served by WA.EXE may be broken


WWW_HSTS_MAX_AGE can be used to solve this problem rather than enabling site-wide HSTS in IIS.


Default Value

0 (i.e., disabled)