HTTP Strict Transport Security
The HTTP Strict-Transport-Security (HSTS) response header enables a website (domain) to tell browsers that it should only be accessed using HTTPS instead of HTTP. This mechanism helps to protect websites against cyberattack.
To turn HSTS on for the ESA Authentication Server:
1.Open the C:\Program Files\ESET Secure Authentication\EIP.Core.WindowsService.exe.config file with a text editor, for example, Notepad.
2.Add <add key="StrictTransportSecurityEnabled" value="true" /> to that file after the <appSettings> tag.
Example of an altered EIP.Core.WindowsService.EXE.config file <?xml version="1.0" encoding="utf-8"?> ... <configuration> <appSettings> <add key="StrictTransportSecurityEnabled" value="true" /> ... </appSettings> ... </configuration> ... |
... represent existing code in the .config file to be left intact.
3.Restart the ESACore service
To turn HSTS on for ESA Identity Provider Connector, apply the above mentioned changes in the C:\Program Files\ESET Secure Authentication\IdentityProviderConnector\Web.config file.
Beware of browsers remembering the HSTS setting per domain. Enabling HSTS in your ESA instance may influence other websites accessible from the same domain (or hostname) as your ESA instance. To avoid such an issue, make your ESA instance accessible at a separate domain (hostname) . Add the domain to the DNS records or hosts file and regenerate the ESA certificate to include that domain in the certificate's subject name (and/or Subject Alternative Name). |