A:

By default HSTS is disbaled because few customers still accessed 

http://links 

from 

https://pages 

for same domain so this option is not enabled by default. To enable it follow next steps


1. open/edit(create) with Notepad **\Clients\webserver\settings.bin 


2. and add/save as last line

enable_hsts_https=true


3. restart HTML5 via AdmintTool GUI


4. now in **\Clients\webserver\web_log.txt you should see following message Enabled HSTS HTTPS header! indicating that the HSTS was activated.


As in notation above remember, after activating HSTS you won't be able anymore to access http links from your page.


The setting adds as default following header

"Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"



B:

To activate OCSP stapling you must use at least Java9


1. open/edit(create) with Notepad **\Clients\webserver\settings.bin 


2. and add/save as last line

oscp_stapling_java9_enabled=true


3. restart HTML5 via AdmintTool GUI


4. now in **\Clients\webserver\web_log.txt you should see following message OCSP stapling for Java9 enabled! indicating that the OCSP stapling was activated.