How Do I Set HTTP Strict Transport Security?

That is not a setting that is supported on OpenVPN Access Server. It is also not necessary. HTTP Strict Transport Security or HSTS is a web security option which helps to protect websites against protocol downgrade attacks and cookie hijacking by telling the web browser or other web based client to only interact with the web server using a secure HTTPS connection and not to use the insecure HTTP protocol. The HSTS Policy can be communicated by the server to the web browser via an HTTPS response header field named Strict-Transport-Security.

Since OpenVPN Access Server only has HTTPS, and does not do HTTP at all, then declaring that the client should use HTTPS is superfluous.

Also, HSTS is designed to prevent you from overriding an invalid SSL certificate. Since the Access Server comes with a self-signed certificate by default, and if you haven't yet replaced it with a valid SSL certificate, then enabling HSTS would mean effectively blocking access to your Access Server web pages until you implement a valid SSL certificate. So for this and the other reasons mentioned above, HSTS is not enabled on Access Server.

Updates & Announcements

CloudConnexa™

Cyber Shield Released

Cyber Shield protects you from cyber threats without requiring you to tunnel internet traffic. Turn Shield ON.

Learn More

Access Server

Release Notes 2.11.3

Access Server 2.11.3 is the version now rolled out to the major cloud providers. For those using Access Server on a cloud provider, we recommend upgrading to the latest cloud image.

Read Release Notes

Questions

Questions

How do I set HTTP Strict Transport Security?

Updates & Announcements

Cyber Shield Released

Release Notes 2.11.3