i4connected Knowledgebase 5.6

Strict-Transport-Security header

Abstract

Check out this article and read more details about the Strict-Transport-Security header and learn how to configure it for your i4connected installation.

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

To turn off Commented out or removed from web.config.

The Strict-Transport-Security header can be configured in the Web.config file, under the i4connected API folder, as follows:

  • "Strict-Transport-Security" value="max-age=31536000; includeSubdomains"

    STS_web_config.jpg

    The Strict-Transport-Security header setting

    • The max-age parameter represents the amount of time (expressed in seconds) that the browser will remember a site and only allow access using HTTPS.

    • The includeSubdomains parameter allows possibility to apply the same rules to other subdomains of the site.

Important

In case the machine where i4connected application is installed, is using IIS 10.0 (version1709), the Strict-Transport-Security header should be removed from the Web.config file.

With IIS 10.0 (version 1709), HSTS is natively supported hence the Web.config Strict-Transport-Security header will be removed.

HSTS can be enabled at site-level by configuring the attributes of the <hsts> element under each <site> element - more details can be found in the configuration reference of HSTS - Settings for a Web Site <HSTS>.

IIS_HSTS.jpg

The HSTS Setting