How do I set HTTP Strict Transport Security?

FAQ

That is not a setting that is supported on OpenVPN Access Server. It is also not necessary. HTTP Strict Transport Security or HSTS is a web security option which helps to protect websites against protocol downgrade attacks and cookie hijacking by telling the web browser or other web based client to only interact with the web server using a secure HTTPS connection and not to use the insecure HTTP protocol. The HSTS Policy can be communicated by the server to the web browser via an HTTPS response header field named Strict-Transport-Security.

Since OpenVPN Access Server only has HTTPS, and does not do HTTP at all, then declaring that the client should use HTTPS is superfluous.

Also, HSTS is designed to prevent you from overriding an invalid SSL certificate. Since the Access Server comes with a self-signed certificate by default, and if you haven't yet replaced it with a valid SSL certificate, then enabling HSTS would mean effectively blocking access to your Access Server web pages until you implement a valid SSL certificate. So for this and the other reasons mentioned above, HSTS is not enabled on Access Server.

Share