Introduction:
The HSTS or HTTP Strict Transport Security (RFC6797) spec says:
An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the
Strict-Transport-Security HTTP response header field over secure transport (e.g. TLS).
Example:
system.webserver file:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>
Use case:
We are trying to remediate a security finding where no HSTS header is set when the web agent redirects the user to a Login page for Authentication.
Question:
We are trying to remediate a security finding where no HSTS header is set when the webagent redirects the user to a Login page for Authentication.
This is the flow :
1. User hits a protected page
2. Siteminder is configured for Forms Authn and redirects the user to a Login.asp page.
Now on the 302 to the login page there is no HSTS header but on 200 when the page is rendered there is a HSTS header. Finding is that there is NO HSTS header on 302 and they are expecting to see the header.
Is this is the expected behavior or we can do something about the HSTS headers on the redirect?
Environment:
SiteMinder Policy Server Version: 12.52 SP01 CR08
Policy Server O/S: Win 2008 R2
Policy Store Database: CA Directory
User Store Database: AD
Web Server: IIS 7
Web Server O/S: Win 2008 R2
SiteMinder Web Agent Version: R12.52 SP01 CR05
Environment: Production
We only have 1 webserver in play here and the login page is also hosted on that and it also has the configuration for HSTS header.
Answer:
HSTS in not supported by IIS until the configuration: Win2016/ IIS 10.
IIS 10 requires web agent 12.52SP1CR6 Build 2331 or CR8.