Skip to Content
Technical Articles
Author's profile photo Akash BL

HSTS (HTTP Strict Transport Security) with SAP Web Dispatcher

Hello everyone,

This is my first SAP blog post and I noticed there aren’t much information on the implementation of  HSTS(HTTP Strict Transport Security) with SAP web dispatcher.

I believe this blog post will help you in understanding how to implement HSTS in SAP web dispatcher.

More information about HSTS can be viewed in the wiki page : HSTS



HSTS can be configured either in web dispatcher or in backend servers (ICM) provided that the backend release level supports it. If not the easier way to do this by allowing the header to be modified in the web dispatcher level.

Minimum patch/Kernel level is mentioned in SAP note 2042819.

Prerequisites to HSTS:

  • SSL/TLS is implemented in the environment.
  • Valid security certificates are installed for the systems.


HSTS is all about embedding the security header in the URL and specifying the expire time for which the browser(client) will not need confirmation from the server repeatedly for converting HTTP to HTTPS avoiding the man-in-the-middle attack (MITM).

After SSL is implemented in SAP portal the url – developer info is as below without any security headers.

As you can see the response header does not contain ‘Strict Transport Security’.

The below parameters are added to the web dispatcher $(DIR_PROFILE)\icm_filter.txt file.

if %{HTTP_HOST} regimatch <host>*

SetResponseHeader Strict-Transport-Security “max-age=<age in sec>; includeSubDomains”

where <host> is the web dispatcher or ICM host and ‘max-age’ is the age in sec till which the client(browser) will not request the server for security header info. This is usually kept  31556952 seconds (1 year).

‘include SubDomains’ will make sure the url subdomains will also have the HSTS tag embedded in it.

else create a redirect to HTTPS rule like the below and then add the parameter:

if %{SERVER_PROTOCOL} !stricmp “https”

RegIRedirectUrl /(.*) https://<host>:<https_port>/$1

Once this is done save the file and restart the web dispatcher. Access the url and open developer info and in the security header the below HSTS header is set for all sub-pages and will not expire till the ‘max-age’ time set.


Also refer the Best practices for SAP WD for more secure configurations :

SAP webdisp best practices. Refer SAP blog for more details on HSTS.

Viewing/clearing HSTS in Chrome:

In Google Chrome the HSTS configurations can be viewed under

chrome://net-internals/#hsts > Domain Security Policy

To check if HSTS info is saved in the browser(client) insert the domain name and query the same.

To clear the HSTS info temporarily in chrome the same page has options for the same.


Please do let me know your feedback ?.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sanjay Birari
      Sanjay Birari

      Excellent information ..

      Author's profile photo Akash BL
      Akash BL
      Blog Post Author

      Thank you Sanjay Birari !!

      Author's profile photo Johannes Goerlich
      Johannes Goerlich

      Hey Akash,

      thank you for this valuable blogpost. Would you recommend to rather go for

      if %{SERVER_PROTOCOL} stricmp "https"
      SetResponseHeader Strict-Transport-Security “max-age=<age in sec>; includeSubDomains”

      to set the header for every https response?



      Author's profile photo Akash BL
      Akash BL
      Blog Post Author

      Hello Johannes,


      Thank you for the response.

      The  stricmp “https” to be used if and only if the https redirect is enabled as it will look for only https.

      if %{HTTP_HOST} regimatch <host>* will make sure the protocol is enabled to the host specified, although the result is the same.


      More over the option mentioned by you will make all url with https to be considered but the later one is used when multiple servers have a common web dispatcher and we need HSTS to a specific host.




      Author's profile photo AKIL SYED

      Nice information... Appreciate your efforts!!!!  Keep up the good work.

      Author's profile photo Akash BL
      Akash BL
      Blog Post Author

      Thank you for your feedback Akil !