Is HTTP Strict Transport Security (HSTS ) security header built into IdP or does it require additional configuration?

Follow

SecureAuth version affected: 9.0+

Description:

Some tools such as SSL Labs utility may report that an IdP is not offering this header. Does IdP offer this header by default or is any additional configuration required? 

 

Cause:

In this instance SSL labs https://www.ssllabs.com/ssltest/ was used to scan the IdP.

This tool  does comprehensive free SSL testing but scans the root level, e.g. /Default Web Site, rather then the individual realms themselves.   Because HSTS is built into IdP code at the realm level, HSTS scans on the root level may not show as enabled.

 

Resolution:

In Idp versions 9.0+ HSTS is enabled by default and it is built into IdP code so there are no extra steps needed.

Security Headers tool https://securityheaders.io/ analyzes HTTP headers. With this tool you can navigate to https://IdP_fqdn/realm# and if HSTS is enabled this tool will show it as enabled.

In the case of tools, such as SSL labs, that scanning at default web site level it is possible to add an Outbound Rule to IIS URL Rewrite configuration which injects the security header and does not interfere with the code in IdP.

 

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.