Description: Access Server doesn't set the HTTP Strict Transport Security (HSTS) header by default because it doesn't serve the Client or Admin Web UIs over plain (unencrypted) HTTP. It's also unnecessary in most cases, but adding an HSTS header could improve the overall security of your installation and/or allow your Access Server to meet formal requirements. HSTS is a web security option that helps protect websites against protocol downgrade attacks and cookie hijacking by telling the web browser or other web-based clients to interact with the web server only using a secure HTTPS connection and not to use the insecure HTTP protocol. The server can communicate the HSTS Policy to the web browser via an HTTPS response header named Strict-Transport-Security.
Also, HSTS is designed to prevent you from overriding an invalid SSL certificate. Since Access Server comes with a self-signed certificate by default, if you haven't yet replaced it with a valid SSL certificate, enabling HSTS would mean effectively blocking access to your Access Server web UIs until you install a valid SSL certificate. So, for this and the other reasons mentioned above, HSTS is not enabled on Access Server.
If you have a need to enable HSTS in Access Server, the information here should help.
Step 1: Implement HSTS on your Access Server
To add the Strict-Transport-Security header and implement HSTS, you specify custom HTTP headers with Access Server, outlined in this guide.
Here is the example of a command for setting the HSTS header on Access Server that uses a subdomain like vpn.company.com:
sacli --key "cs.http_headers.0" --value "Strict-Transport-Security: max-age=63072000" ConfigPut
Note: This requires Access Server 2.9.4 and newer. So, if you have an Access Server before v2.9.4 and you want to implement "Strict-Transport-Security" or any other custom HTTP headers, upgrade your Access Server.
For more about "Strict-Transport-Security" headers and possible values, refer here.
Step 2: Add to the HSTS preloaded list
Once you've configured your header, you need to submit and register your Access Server Domain/FQDN to Chrome's HSTS Preloaded List. You can follow the below link to achieve that:
Important: HSTS preload lists accept bare domains only. So, if your Access Server uses a subdomain like vpn.company.com, add company.com to the HSTS preload lists, and it will work for all subdomains, including vpn.company.com.
In this case, you also should care about setting "Strict-Transport-Security" on the website company.com.
Once you have both steps in place, HSTS will work as expected while connecting via web services to your Access Server.
Note: You must have both requisites explained above in place to have HSTS working properly. If you have one but not the other, HSTS won't work.
For more info:
How do I set HTTP Strict Transport Security?
Install Custom HTTP Security Headers
Strict-Transport-Security on MDN Web Docs
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.