How to enable HTTP Strict-Transport-Security (HSTS) response header

How to enable HTTP Strict-Transport-Security (HSTS) response header

Overview

From Applications Manager v16250, the super administrator has the option of enabling HSTS.
The RFC 6797-specified HTTP Strict Transport Security (HSTS) protocol enables a website to identify itself as a secure host and notify browsers that HTTPS connections are the only acceptable method of communication. HSTS is an optional security upgrade that makes HTTPS mandatory and drastically lowers the chances of man-in-the-middle attacks that intercepts requests and replies sent between servers and clients.

Please follow the steps below to enable the HSTS response header:

Steps

  1. Open Applications Manager.
  2. Navigate to Settings -> Product Settings -> Security Settings.
  3. Click on the Configure Now button next to the Enable Security response Headers option.
    Then enable HTTP-Strict-Transport-Security(HSTS) option.

Prerequisites

  1. Browsers will ignore the Strict-Transport-Security header if the server is configured with a self-signed certificate. So you will need to replace default self signed certificate that comes with Applications Manager with a signed certificate.
    1. To know whether the SSL certificate is considered secure by the browser, check for the Lock icon next to web address bar which should display "Connection is secure".
    2. See how to import SSL certificates in Applications Manager here - Manage Certificates.
  2. Below prerequisite applies to Applications Manager plugin (In OpManager) installation only:
    1. Enable HTTPs and HSTS in OpManager before enabling in Applications Manager

Validation

The easiest way to check if you have enabled HSTS is by launching the Chrome Devtools. Click on the Network tab and check the headers tab. You will see something similar below:


Alternatively, run the below curl command:
Note: Replace <apm-hostname> and <apm-https-port> with Applications Manager's hostname and HTTP port.


Post enabling HSTS

  1. Ensure that the SSL certificates are up to date and imported into Applications Manager before the expiry date.
  2. Access Applications Manager only via domain names configured in SSL certificate.
  3. Incase you encounter any SSL certificate errors, Applications Manager will not be allowed to access by the browser. As a workaround remove HSTS policy in browser settings by following below steps:
    1. Type chrome://net-internals/#hsts in the browser address bar.
    2. Enter the complete domain in Delete domain security policies field and press Enter.

    3. Now try accessing Applications Manager.
      Note: HSTS policy will be automatically be applied once again when SSL certificate errors have been resolved and Connection is secure.
  4. Since browsers will access Applications Manager only via https:// now, consider disabling http port for additional security. See how to disable HTTP access in Applications Manager.

Reference


                  New to ADSelfService Plus?

                    • Related Articles

                    • Enable the Content Security Policy for Real User Monitoring

                      If the RUM Agent request from the client browser fails due to blocked:csp error as below, you need to enable the content security policy directive in the web server for Real User Monitoring. This page will guide you on it. What is Content Security ...
                    • Hide Server Banner and Product Info from HTTP Header

                      A server banner may display information about the underlying hosting environment. Usually in Applications Manager, the information that can be exposed is the product name: Server: AppManager For security purposes, it may be desirable to disable the ...
                    • Disable HTTP access in Applications Manager

                      Overview This article describes configuring a secure connection between Applications Manager server and the browser/client. Applications Manager can be accessed through any of the following URLs: For HTTP  -> http://[hostname/ip-address]:[http-port] ...
                    • Configure "/server-status" page for Oracle HTTP server

                      In order to monitor an Oracle HTTP server in Applications Manager, the '/server-status' page must be configured on the target Oracle HTTP server that needs to be monitored. This can be accomplished by following these steps: Step 1 - Enable the ...
                    • Configure "/server-status" page for IBM HTTP server

                      In order to monitor an IBM HTTP server in Applications Manager, the '/server-status' page must be configured on the target IBM HTTP server that needs to be monitored. This can be accomplished by following these steps: Step 1 - Enable the ...