Views:

Prerequisites for Enabling HSTS

Before enabling HTTP Strict Transport Security (HSTS) on InterScan Messaging Security Virtual Appliance, it is essential to ensure the following prerequisite is met:

A trusted Certificate Authority (CA) certificate must be installed and correctly configured on the InterScan Messaging Security Virtual Appliance for HTTPS services. This ensures that HTTPS connections are secured and trusted by browsers, which is a fundamental requirement for HSTS to function properly. Without a valid and trusted SSL/TLS certificate, browsers may not honor the HSTS policy, and users will continue to receive security warnings.

Ensuring this prerequisite will help in successfully enforcing HSTS and improving the overall security posture of the InterScan Messaging Security Virtual Appliance web interface.

Steps to Enable HSTS on InterScan Messaging Security Virtual Appliance

Backup the Current Configuration File.
Before making any changes, back up the existing web.xml file to prevent accidental loss.
```
cp -a /opt/trend/imss/UI/tomcat/conf/web.xml /opt/trend/imss/UI/tomcat/conf/web.xml_backup
```
Edit the web.xml File.
Open the configuration file for editing:
```
vi /opt/trend/imss/UI/tomcat/conf/web.xml
```

Add the HSTS Filter Configuration.

Scroll to the end of the file and insert the following XML snippet just before the closing </web-app> tag:

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsPreload</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
  <async-supported>true</async-supported>
</filter>

<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Save and Close the File.
After pasting the above content, save changes and exit the editor.
Restart the InterScan Messaging Security Virtual Appliance UI Service.
Apply the changes by restarting the UI service:
```
S99ADMINUI restart
```
Verify HSTS Header Presence.
Access the InterScan Messaging Security Virtual Appliance web interface via a browser over HTTPS. Use browser developer tools (Network tab) to inspect the HTTP response headers. Look for the presence of the Strict-Transport-Security header with the configured parameters.

Alternatively, use the following command to check the headers directly:
```
curl -I -k https://<IMSVA_IP>:<PORT>/
```
Expected header example:
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
- The default HTTPS UI port is typically 8445. If you are verifying on port 8447, confirm that the EUQ (End User Quarantine) service is enabled. The HSTS header will not appear if EUQ is disabled or the port is not in use. For more information about EUQ, see the About EUQ documentation.
- To check if EUQ is enabled, run:
```
ps -elf | grep -i EUQ
```
- To stop the EUQ service (if needed):
```
S99EUQ stop
```
- The S99EUQ stop command will not affect mail operations if EUQ is disabled in the UI.
- To enable EUQ, see the detailed steps in the Enabling EUQ guide.
- Ensure that after any configuration changes or service restarts, the HSTS header is verified on the correct port.

Keywords: enable hsts header imsva, imsva https security configuration, hsts missing https server, configure http header security, imsva web ui hsts, strict transport security imsva, imsva euq service port, verify hsts header curl

Enabling HTTP Strict Transport Security (HSTS) to Secure Web UI Access for Trend Micro™ InterScan™ Messaging Security Virtual Appliance

Product / Version includes:

Interscan Messaging Security Virtual Appliance All

Last updated: 2025/12/22

Solution ID: KA-0021868

Category: Configure , Troubleshoot

Summary

The remote web server of the InterScan Messaging Security Virtual Appliance is reported as not enforcing HTTP Strict Transport Security (HSTS) as defined by RFC 6797. When accessing the InterScan Messaging Security Virtual Appliance web interface over HTTPS, users or vulnerability scanners observe that the HTTP response header "Strict-Transport-Security" is missing. This absence results in security risks such as downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakened cookie-hijacking protections. Symptoms include vulnerability scan results indicating "The remote HTTPS server does not send the HTTP 'Strict-Transport-Security' header" and HTTP response headers lacking HSTS directives.

This guide provides step-by-step instructions to enable the HTTP Strict Transport Security (HSTS) header on the InterScan Messaging Security Virtual Appliance (IMSVA) version 9.1. Enabling HSTS ensures browsers only communicate with the IMSVA web interface over HTTPS, improving security against downgrade and man-in-the-middle attacks.

Prerequisites for Enabling HSTS

Before enabling HTTP Strict Transport Security (HSTS) on InterScan Messaging Security Virtual Appliance, it is essential to ensure the following prerequisite is met:

A trusted Certificate Authority (CA) certificate must be installed and correctly configured on the InterScan Messaging Security Virtual Appliance for HTTPS services. This ensures that HTTPS connections are secured and trusted by browsers, which is a fundamental requirement for HSTS to function properly. Without a valid and trusted SSL/TLS certificate, browsers may not honor the HSTS policy, and users will continue to receive security warnings.

Ensuring this prerequisite will help in successfully enforcing HSTS and improving the overall security posture of the InterScan Messaging Security Virtual Appliance web interface.

Steps to Enable HSTS on InterScan Messaging Security Virtual Appliance

Backup the Current Configuration File.
Before making any changes, back up the existing web.xml file to prevent accidental loss.
```
cp -a /opt/trend/imss/UI/tomcat/conf/web.xml /opt/trend/imss/UI/tomcat/conf/web.xml_backup
```
Edit the web.xml File.
Open the configuration file for editing:
```
vi /opt/trend/imss/UI/tomcat/conf/web.xml
```

Add the HSTS Filter Configuration.

Scroll to the end of the file and insert the following XML snippet just before the closing </web-app> tag:

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsPreload</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
  <async-supported>true</async-supported>
</filter>

<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Save and Close the File.
After pasting the above content, save changes and exit the editor.
Restart the InterScan Messaging Security Virtual Appliance UI Service.
Apply the changes by restarting the UI service:
```
S99ADMINUI restart
```
Verify HSTS Header Presence.
Access the InterScan Messaging Security Virtual Appliance web interface via a browser over HTTPS. Use browser developer tools (Network tab) to inspect the HTTP response headers. Look for the presence of the Strict-Transport-Security header with the configured parameters.

Alternatively, use the following command to check the headers directly:
```
curl -I -k https://<IMSVA_IP>:<PORT>/
```
Expected header example:
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
- The default HTTPS UI port is typically 8445. If you are verifying on port 8447, confirm that the EUQ (End User Quarantine) service is enabled. The HSTS header will not appear if EUQ is disabled or the port is not in use. For more information about EUQ, see the About EUQ documentation.
- To check if EUQ is enabled, run:
```
ps -elf | grep -i EUQ
```
- To stop the EUQ service (if needed):
```
S99EUQ stop
```
- The S99EUQ stop command will not affect mail operations if EUQ is disabled in the UI.
- To enable EUQ, see the detailed steps in the Enabling EUQ guide.
- Ensure that after any configuration changes or service restarts, the HSTS header is verified on the correct port.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Enabling HTTP Strict Transport Security (HSTS) to Secure Web UI Access for Trend Micro™ InterScan™ Messaging Security Virtual Appliance

Prerequisites for Enabling HSTS

Steps to Enable HSTS on InterScan Messaging Security Virtual Appliance

Enabling HTTP Strict Transport Security (HSTS) to Secure Web UI Access for Trend Micro™ InterScan™ Messaging Security Virtual Appliance

Product / Version includes:

Summary

Prerequisites for Enabling HSTS

Steps to Enable HSTS on InterScan Messaging Security Virtual Appliance