Enabling and disabling SSL HSTS
Enabling HSTS (RFC 6797) enforces secure HTTPS connection between a web browser and Standalone Sentry. By default, HSTS is disabled.
Before enabling HSTS ensure the following:
• | Standalone Sentry uses a root or intermediate certificate from a publicly trusted CA. |
• | You have policies and processes to ensure that the certificate is current. |
• | Port 443 is open. |
To enable SSL HSTS, use the following CLI command in CONFIG mode:
httpd hsts enable
If HSTS is enabled, the following header is added to the HTTP response:
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
To disable SSL HSTS, use the following CLI command in CONFIG mode:
no httpd hsts
NOTE: | After disabling HSTS, also clear HSTS for the Standalone Sentry FQDN from your browser cache. Otherwise, the browser continues to attempt to load the Standalone Sentry FQDN with a secure connection and you will not be able to access the site. |
To view the current status of SSL HSTS, use the following CLI command in EXEC mode:
show httpd hsts
For more information on HSTS, see https://tools.ietf.org/html/rfc6797.