Skip to main content

Tutorial: How to Set Up HTTP Strict Transport Security (HSTS) on Access Server

Abstract

Steps to follow to set up HTTP Strict Transport Security (HSTS) on Access Server.

Overview

This tutorial guides you through setting up HTTP Strict Transport Security (HSTS) on Access Server. HSTS is a security feature that enforces secure HTTPS connections between clients and servers, preventing protocol downgrade attacks and cookie hijacking. While Access Server doesn't enable HSTS by default, you can implement it to enhance security or meet formal compliance requirements.

Access Server doesn't enable HSTS by default because it already serves web UIs over secure HTTPS rather than plain HTTP. While unnecessary in most cases, adding HSTS can enhance security or meet specific compliance needs. HSTS forces browsers to use only HTTPS connections, protecting against downgrade attacks and cookie hijacking.

However, since HSTS prevents overriding invalid SSL certificates, enabling it with Access Server's default self-signed certificate would block access to the web UIs. Therefore, HSTS is disabled unless you replace the default certificate with a valid one.

Important

  • Self-Signed Certificates: If your Access Server uses a self-signed SSL certificate, enabling HSTS could block access to the web UIs. Ensure a valid SSL certificate is installed before enabling HSTS.

  • HSTS and Compliance: Enabling HSTS is often required to comply with security standards like PCI-DSS. Ensure both the HSTS header and preloading are configured correctly for full compliance.

  • An installed Access Server version 2.9.4 or newer.

  • A valid SSL certificate installed on your Access Server.

  • Console access and the ability to get root access.

  • To add the Strict-Transport-Security header and implement HSTS, follow our tutorial to specify custom HTTP headers:

    • Tutorial: Specify Custom HTTP Headers

    • Here's an example of a command for setting the HSTS header on Access Server with the subdomain vpn.company.com:

      sacli --key "cs.http_headers.0" --value "Strict-Transport-Security: max-age=63072000" ConfigPut
      sacli start

      Tip

      For more about Strict-Transport-Security headers and possible values, refer to this documentation.

  1. Submit your Access Server domain to the Chrome HSTS Preloaded List to ensure browsers recognize it as HSTS-compliant. This will ensure that browsers enforce HTTPS connections before making the first request.

  2. If your Access Server is hosted on a subdomain (e.g., vpn.company.com), submit the root domain (e.g., company.com) to the HSTS preload list. This will automatically apply HSTS to all subdomains, including your Access Server's subdomain.

  3. If your Access Server is hosted on a subdomain, ensure that HSTS is enabled on the root domain (company.com). This ensures consistent HSTS enforcement across all subdomains.