Summary

HTTP Strict-Transport-Security (HSTS) defines a mechanism for web sites to declare themselves accessible only via secure HTTPS connections. It reduces the ability of man-in-the-middle type attacks to intercept requests and responses between servers and clients.

IIS version 10 (current) includes native support for HSTS and allows for its configuration through IIS Manager. Customers are responsible for configuring HSTS for their self-hosted Laserfiche systems.

See the HSTS option in the Configure section under the Actions bar for a site.

1. On the appropriate host, open Internet Information Services (IIS) Manager.
2. Select the desired site.
3. In the Actions bar, under the Configure section, click HSTS.
4. In the Edit Website HSTS dialog, select the Enable option.
5. In the Max-Age field, specify how long (in seconds) the browser should remember that the site must be accessed through HTTPS. Default value is 31536000.
6. Select the Redirect Http to Https option.
7. Optionally, select the IncludeSubDomains option to indicate that the rule applies to all of the site's subdomains as well.

Additional Information

On a server that hosts Laserfiche Forms, you can set the HSTS header for Forms either in IIS as described above, or in the Forms Configuration site's Security section, which also has other HTTP security headers available. If HSTS is enabled in both IIS and FormsConfig, the value configured in IIS will take precedence.

Related Links

• Strict-Transport-Security - Mozilla Developer Network
• HTTP Strict Transport Security - cio.gov
• Configuring HSTS through IIS Manager
• RFC 6797