HTTP Strict Transport Security, or HSTS, is a standard mechanism defined by RFC 6797 to enforce HTTPS (secure communications) rather than plaintext HTTP.
Web browsers and other clients that support HSTS maintain a list of servers that enable it, and refuse to connect to those servers using plain HTTP. Clients learn which servers have enabled HSTS using a 'preload list' or by receiving an HTTP response from a server that contains the Strict-Transport-Security header.
HSTS is primarily useful for the conventional web-browsing use case, where servers support both HTTP and HTTPS, and clients might accidentally connect by HTTP, or be tricked into doing so. For Enterprise Server, HSTS generally serves no purpose, because very few organizations will configure an Enterprise Server component with both plaintext HTTP and TLS-enabled HTTPS listeners for the same purpose. Thus, there is no danger of clients connecting by plaintext HTTP if TLS has been enabled, because plaintext HTTP won't be available.
Also, HSTS does not function well in use cases other than conventional web browsing. In particular, it does not adequately address use cases where ports other than the standard 80 (for plaintext HTTP) and 443 (for HTTPS) are used. It also can cause problems when there is a mix of HSTS-enabled and non-HTTPS web servers within a domain, since the HSTS setting may cause browsers to refuse to connect to the non-HSTS servers.
For these reasons, Micro Focus does not recommend the use of HSTS with Enterprise Server.
However, some organizations have blanket rules regarding enabling HSTS on all web servers, or need to enable HSTS in order to satisfy security auditors.
Enterprise Server 5.0 (Patch Update 12 or later), 6.0 (Patch Update 2 or later), and subsequent releases have the following support for HSTS:
[Response Headers] Strict-Transport-Security=max-age=31536000; includeSubDomains
See RFC 6797 for more information on the value of the Strict-Transport-Security header.