Enabling and disabling SSL HSTS

Enabling HSTS (RFC 6797) enforces secure HTTPS connection between a web browser and Ivanti Standalone Sentry. By default, HSTS is disabled.

Before enabling HSTS ensure the following:

Ivanti Standalone Sentry uses a root or intermediate certificate from a publicly trusted CA.

You have policies and processes to ensure that the certificate is current.

Port 443 is open.

Enabling SSL HSTS

To enable SSL HSTS, use the following CLI command in CONFIG mode:

httpd hsts enable [preload]

HSTS Preloading is not enabled by default and it can be enabled by setting the preload option to yes. The value of the preload is either yes or no and it is no by default.

If SSL HSTS is enabled, the following header is added to the HTTP response:

Strict-Transport-Security "max-age=31536000; includeSubDomains"

If SSL HSTS is enabled with the preload option set to "yes", then the following header is added to the HTTP response:

Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Disabling SSL HSTS

To disable SSL HSTS, use the following CLI command in CONFIG mode:

no httpd hsts

After disabling HSTS, also clear HSTS for the Ivanti Standalone Sentry FQDN from your browser cache. Otherwise, the browser continues to attempt to load the Standalone Sentry FQDN with a secure connection and you will not be able to access the site.

Viewing SSL HSTS

To view the current status of SSL HSTS, use the following CLI command in EXEC mode:

show httpd hsts

For more information on HSTS, see https://tools.ietf.org/html/rfc6797