Policy to Force clients to use HTTP Strict Transport Security (HSTS)

book

Article ID: 169783

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article details the policy you can use to inject HTTP Strict Transport Security (HSTS) functionality to server responses via your ProxySG or ASG appliance.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect web sites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections. 

Per the above, there are several factors to consider:

  • HSTS is a mechanism that is added by the server
  • HSTS header injection is most applicable to RP/WAF deployments, and should not be used unconditionally for all traffic in forward proxy deployments via the ProxySG appliance line. The SG and ASG appliances have the capability of adding the respective HSTS header in a response back to the client (forcing the client to only use HTTPS and not HTTP). 
  • NOTE: If the destination server is not expecting this behavior, conflicts can arise that impact the overall end user experience. 

Resolution

The following CPL sets an additional response header to the response from the server in order to add HSTS functionality . This script can be installed via your proxy Local File or a "CPL Layer" via your proxy VPM (Visual Policy Manager). As mentioned above, this CPL should not be used unconditionally. The CPL below includes an example URL as a condition. When installing this CPL, the example URL should be changed to whatever is applicable to your use case.

 

; ################# HSTS Header Injection Policy #################

;Note(s):
; - This script will set an additional response header to the 
; response from the server to add HSTS functionality 

; - HTTP Strict Transport Security (HSTS) is a web security policy 
; mechanism which helps to protect web sites against protocol downgrade 
; attacks and cookie hijacking. It allows web servers to declare that 
; web browsers (or other complying user agents) should only interact 
; with it using secure HTTPS connections. 

; - Per the above, HSTS is mechanism that is added by the server. 
; - HSTS is not directly supported via the ProxySG appliance line. However, 
; The SG does have the capability of adding the respective HSTS header in a 
; response back to the client (forcing the client to only use HTTPS and not HTTP). 
; The downside to this, is that if the destination server is not 
; expecting this behavior, conflicts can arise that impact the overall 
; end user experience. 

; ------------------ Rule(s) ------------------
 
url=webapp.domain.com action.HSTS(yes) 
; ------------------ Condition(s) ------------------
; HTTP Strict Transport Security 
define action HSTS 
set(response.x_header.Strict-Transport-Security, "max-age=31536000; includeSubDomains") 
end 

; ################# END HSTS Header Injection Policy #################