Tutorial: How to Set Up HTTP Strict Transport Security (HSTS) on Access Server
Steps to follow to set up HTTP Strict Transport Security (HSTS) on Access Server.
Overview
This tutorial guides you through setting up HTTP Strict Transport Security (HSTS) on Access Server. HSTS is a security feature that enforces secure HTTPS connections between clients and servers, preventing protocol downgrade attacks and cookie hijacking. While Access Server doesn't enable HSTS by default and it's not strictly required for Access Server functionality, certain organizations may have legal or compliance requirements (for example, government regulations) that mandate enabling HSTS headers even when no HTTP endpoint exists.
Access Server doesn't enable HSTS by default because it already serves web UIs over secure HTTPS rather than plain HTTP. While unnecessary in most cases, adding HSTS can enhance security or meet specific compliance needs. HSTS forces browsers to use only HTTPS connections, protecting against downgrade attacks and cookie hijacking.
However, since HSTS prevents overriding invalid SSL certificates, enabling it with Access Server's default self-signed certificate would block access to the web UIs. Therefore, HSTS is disabled unless you replace the default certificate with a valid one.
Important
Self-Signed Certificates: If your Access Server uses a self-signed SSL certificate, enabling HSTS will block access to the web UIs. Install a valid SSL certificate before enabling HSTS.
HSTS and Compliance: In some jurisdictions (such as Dutch municipalities), enabling HSTS is legally required. Access Server supports this via custom HTTP headers, even though it's not enabled by default.
An installed Access Server version 2.9.4 or newer.
A valid SSL certificate installed on your Access Server.
Console access and the ability to get root access.
Access Server doesn't include a built-in toggle for HSTS, but you can enforce it by specifying a custom HTTP header. This method is the recommended way to satisfy compliance requirements when HSTS is mandated.
Important
Customers have confirmed that implementing HSTS via the cs.http_headers setting with the steps below works without issue, provided that a valid SSL certificate is in use. This method is sufficient to meet compliance obligations such as PCI-DSS or government regulations requiring HSTS.
To add the Strict-Transport-Security header and implement HSTS, follow our tutorial to specify custom HTTP headers:
Here's an example of a command for setting the HSTS header on Access Server with the subdomain vpn.company.com:
sacli --key "cs.http_headers.0" --value "Strict-Transport-Security: max-age=63072000" ConfigPut sacli start
Tip
For more about Strict-Transport-Security headers and possible values, refer to this documentation.
Submit your Access Server domain to the Chrome HSTS Preloaded List to ensure browsers recognize it as HSTS-compliant. This will ensure that browsers enforce HTTPS connections before making the first request.
Visit the HSTS Preloaded List Submission Form and submit your domain.
If your Access Server is hosted on a subdomain (e.g., vpn.company.com), submit the root domain (e.g., company.com) to the HSTS preload list. This will automatically apply HSTS to all subdomains, including your Access Server's subdomain.
If your Access Server is hosted on a subdomain, ensure that HSTS is enabled on the root domain (company.com). This ensures consistent HSTS enforcement across all subdomains.