To resolve this issue, please upgrade to 8.2R6 / 8.1R12 and above. In 8.2R6 / 8.1R12 and above, HSTS support is enabled by default and is not a configurable option. For other releases, please use the mitigation steps below:
- Educate end users to always connect via https or hardcode all web links to the VPN device as https. Once the end user makes the initial connection AND the device supports HSTS, all further connections will be HTTPS.
Max-Age, IncludeSubDomains and preload options:
By default, max-age is set for 1 year. Starting in 8.3R3 and above, max-age can be modified from 0 to 365 days.
- Login to the admin console
- Navigate to System > Configuration > Security > Miscellaneous
- Under HSTS, modify the number of days field
Additional options to enable includeSubDomains and preload in the HSTS header.