Enabling and disabling SSL HSTS

Enabling HSTS (RFC 6797) enforces secure HTTPS connection between a web browser and Standalone Sentry. By default, HSTS is disabled.

Before enabling HSTS ensure the following:

•

Standalone Sentry uses a root or intermediate certificate from a publicly trusted CA.

•

You have policies and processes to ensure that the certificate is current.

•

Port 443 is open.

To enable SSL HSTS, use the following CLI command in CONFIG mode:

httpd hsts enable

If HSTS is enabled, the following header is added to the HTTP response:

Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

To disable SSL HSTS, use the following CLI command in CONFIG mode:

no httpd hsts

NOTE:

After disabling HSTS, also clear HSTS for the Standalone Sentry FQDN from your browser cache. Otherwise, the browser continues to attempt to load the Standalone Sentry FQDN with a secure connection and you will not be able to access the site.

To view the current status of SSL HSTS, use the following CLI command in EXEC mode:

show httpd hsts

For more information on HSTS, see https://tools.ietf.org/html/rfc6797.