Strict-Transport-Security
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click-through prompts on browsers, which means that the web server may only use SSL server certificates signed by a CA trusted by the browser.
The Strict-Transport-Security header has been added as an optional security component to the Grid and will affect all context roots when activated. When configured in the Grid, the header enforces the Strict Transport Security in the browser for 24 hours and includes all sub-domains.
HSTS would be an issue for any Grid router that has a Grid-signed SSL certificate. To mitigate this, HSTS is configurable for each router. The default behavior is not to send the header.
Note that even if a router does not have HSTS configured, it could be affected by other routers where it is enabled. If you first access a router where HSTS is enabled, the browser is set to enforce Strict Transport Security for the host and all sub-domains for 24 hours. If you then use the same browser to access a router without the header, the browser will still enforce it. If the later router has a self-signed certificate, the access will be denied.
Configuring HTTP Strict Transport Security for a router
-
Start the Grid admin user interface.
-
Navigate to Configuration > Routers.
-
Select the router to change the HSTS setting for, and click Edit.
-
Enable/disable the setting.
-
Click Save.
To learn about HTTP Strict Transport Security, see these sites:
-
https://tools.ietf.org/html/rfc6797
-
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet