Enable HSTS on the Geo SCADA Expert Server
HTTP Strict Transport Security (HSTS) helps to protect websites against man-in-the-middle attacks, such as cookie hijacking and downgrade attacks. It requires servers to only interact with web browsers using HTTPS connections. It also requires that the connections to the web browser have to be secured using a valid trusted certificate that fulfills the following criteria:
-
The certificate must be valid and be trusted by the client.
-
The certificate must not be expired.
-
The certificate must contain the domain or subdomain that was called in the browser.
If you enforce an HTTPS-only connection policy in your company, we recommend that you enable HSTS on each Geo SCADA Expert server. Before you do this, you have to configure the server to use a trusted certificate.
rejection of self-signed certificates and inability to access the Geo SCADA Expert Server site via http
-
Once HSTS is turned on, any browser that accesses the server site will be locked to using HTTPS for the amount of time that is defined by the server.
-
HSTS prevents the browsers from allowing users to accept a self-sign certificate (or any unrecognized certificate) from the server site. As such, users will only be able to use Geo SCADA Expert if the server is configured to use trusted certificates that have not expired.
Be aware of the above before you enable HSTS on each Geo SCADA Expert server.
Configure the Geo SCADA Expert server to use a trusted certificate
You typically specify whether the Geo SCADA Expert server is to use HTTPS and a trusted certificate during the installation process
If you need to change the configuration of the Geo SCADA Expert server because it is not currently configured to use a trusted certificate:
-
Obtain a valid certificate from a trusted certificate authority (CA).
-
Load that certificate into the Windows certificate store on the web server machine.
-
Use the IIS Manager tool in Windows to navigate to the reverse proxy website of the Geo SCADA Expert server.
-
Select the Bindings entry from the Actions section of the right-hand pane.
-
Select the HTTPS binding entry from the Site Bindings dialog box that is displayed.
-
Select the Edit button and then configure the required certificate in the dialog box that is displayed.
To enable HSTS on the Geo SCADA Expert server
(Only do this after you have obtained and installed a valid trusted certificate for the Geo SCADA Expert server to use and have configured the server to use that certificate and you have obtained and installed a valid trusted certificate for the server to use.)
-
Use the IIS Manager tool in Windows to navigate to the reverse proxy website of the Geo SCADA Expert server.
-
Select the HSTS entry in the Manage Website section of the right-hand pane.
The Edit Website HSTS dialog box is displayed.
-
Select the Enable check box to enable HSTS on the Geo SCADA Expert server.
The other properties in the dialog box become available for use. -
In the Max-Age field, specify the number of seconds for which the user is prevented from using HTTP to visit the website once they have used the browser to visit the site using HTTPS.
-
Use the IncludeSubDomains check box to specify whether HSTS should also be enabled for subdomains. This is not required for the Geo SCADA Expert reverse proxy.
-
Only select the Preload check box if the site is to be added to the HSTS preload list. This is unlikely to be the case for most Geo SCADA Expert servers.
-
Use the Redirect Http to Https check box to specify whether to instruct the user's browser to change to HTTPS if the browser initially attempts to access the website using HTTP.
Further Information