Reset Search
 

 

Article

KB40348 - Support for HTTP Strict Transport Security (HSTS) with Pulse Connect Secure and Pulse Policy Secure

« Go Back

Information

 
Last Modified Date1/9/2020 2:55 AM
Synopsis
This article provides information about support for HTTP Strict Transport Security (HSTS) with Pulse Connect Secure and Pulse Policy Secure.
Problem or Goal
HTTP Strict Transport Security is a web security mechanism that restricts web browsers to access web servers over HTTPS only for a given amount of time.  This ensures the endpoint does not establish an unsecure connect (HTTP) which are susceptible to protocol downgrade attacks.

Currently, all traffic to and from the PCS/PPS device is secured over HTTPS (tcp port 443).  If an initial connection to the PCS/PPS device is made using HTTP (tcp port 80), PCS/PPS device will redirect the browser to connect via HTTPS.

Once the device is upgraded to a release supporting HSTS, the initial connection to the PCS/PPS device is made using HTTP (tcp port 80), the PCS/PPS device will redirect the browser to connect via HTTPS and send the HSTS header when reaching the login page.  HSTS header will be cached and is valid for 1 year from the initial connection.  Any further attempts using HTTP (tcp port 80) the browser will force to connect via HTTPS.
Cause
Solution
To resolve this issue, please upgrade to 8.2R6 / 8.1R12 and above.  In 8.2R6 / 8.1R12 and above, HSTS support is enabled by default and is not a configurable option.  For other releases, please use the mitigation steps below:

Mitigation:

  • Educate end users to always connect via https or hardcode all web links to the VPN device as https.  Once the end user makes the initial connection AND the device supports HSTS, all further connections will be HTTPS.


Max-Age, IncludeSubDomains and preload options:

By default, max-age is set for 1 year.  Starting in 8.3R3 and above, max-age can be modified from 0 to 365 days.
  1. Login to the admin console
  2. Navigate to System > Configuration > Security > Miscellaneous
  3. Under HSTS, modify the number of days field
Additional options to enable includeSubDomains and preload in the HSTS header.
 
User-added image
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255