You are viewing limited content. For full access, please sign in.

Question

Question

HSTS Preload

asked on March 6, 2020

We have a client who wants to use HSTS for the Laserfiche web products (Web Client, Forms, Audit Trail).  My question is 2 parts:

1) Is HSTS supported by Laserfiche web products?

2) If #1 answer is yes, can the HSTS preload be for at least 6 months?  Or ideally 1 year?

0 0

Answer

SELECTED ANSWER
replied on March 6, 2020 Show version history

Hi Nathan,

HSTS is a header you set within IIS at either the IIS application or site level. I recommend that you initially set the HSTS header to not put you on the browser preload list until you verify it's working as expected for you. Also be careful to only set the HSTS header(s) for your Laserfiche subdomain(s), such as "lf.company.com", not the top level "company.com".

Good pages on the topic (updated 2024-06-26):

 

Start with one year:

Strict-Transport-Security: max-age=31536000

Easy enough to clear out of your own cookies if necessary. Once you've verified it's working as intended, you can add the preload directive like so:

Strict-Transport-Security: max-age=31536000; preload

 

2 0
replied on March 9, 2020

Thanks Samuel!

1 0
replied on June 26, 2024

I am currently trying to find this header which was already set on a Laserfiche website by accident and I am getting a Page cannot be displayed when trying the link above.

After googling where headers are found in IIS I am checking under HTTP Response Headers but it is not there, am I in the right spot?

0 0
replied on June 26, 2024 Show version history

Thanks for pointing out the dead link. I've updated it with new ones.

HTTP response headers can be set either at the IIS level or by application code itself.

Within IIS, the HTTP Response Headers can be set at three different scopes: Server, Site, or Application. 

As of now, one Laserfiche web application, Forms, supports setting the HSTS header within the application config (/FormsConfig), from the Forms Server -> Security node, with the option to override the default header value (if enabled) under Advanced Options.

The Security node links to this docs page, which is for some reason unlisted in the Admin Guide table of contents, and mostly up to date: https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Default.htm#../Subsystems/Forms/Content/Administration/configuring-security-options.htm

HTTP Security Headers > "Enable the HTTP Strict-Transport-Security (HSTS) header"

Advanced Options > "SecurityStrictTransportSecurity" property with description "Define the HTTP Strict-Transport-Security (HSTS) header value."

1 0
replied on June 26, 2024

Awesome, that is where it was, but did not show in IIS.

Thanks for the quick response. It also appears that this got enabled automatically somehow as they don't remember enabling it. Maybe one of the upgrade packages sets it?

0 0

Replies

replied on October 7, 2020

Was your client able to successfully use HSTS with their laserfiche web products? Our infrastructure staff is inquiring about turning on this technology for our laserfiche servers, but we have not been able to find information on whether it's supported with Laserfiche. 

0 0
replied on October 7, 2020

It is usually configured at the server level, so it's transparent to any applications running on the server. https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts is a good guide.

1 0
replied on October 7, 2020

To add onto what Brian said, HSTS is implemented as a browser cookie that tells clients "Always use HTTPS when connecting to this site". It is effectively a way of making HTTPS redirects faster. Laserfiche supports HTTPS and is thus compatible with HSTS.

That said, the general precautions around using the Preload option I mentioned in my original response still apply.

0 0
replied on October 7, 2020

Thank you for the replies Brian & Samuel. The information provided is helpful.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.