KB40348 - How to enable HTTP Strict Transport Security (HSTS) with Pulse Connect Secure and Pulse Policy Secure

This article provides information about support for HTTP Strict Transport Security (HSTS) with Pulse Connect Secure and Pulse Policy Secure.

HTTP Strict Transport Security is a web security mechanism that restricts web browsers to access web servers over HTTPS only for a given amount of time.  This ensures the endpoint does not establish an unsecure connect (HTTP) which are susceptible to protocol downgrade attacks.

Currently, all traffic to and from the PCS/PPS device is secured over HTTPS (tcp port 443).  If an initial connection to the PCS/PPS device is made using HTTP (tcp port 80), PCS/PPS device will redirect the browser to connect via HTTPS.

Once the device is upgraded to a release supporting HSTS, the initial connection to the PCS/PPS device is made using HTTP (tcp port 80), the PCS/PPS device will redirect the browser to connect via HTTPS and send the HSTS header when reaching the login page.  HSTS header will be cached and is valid for 1 year from the initial connection.  Any further attempts using HTTP (tcp port 80) the browser will force to connect via HTTPS.

To resolve this issue, please upgrade to 8.2R6 / 8.1R12 and above.  In 8.2R6 / 8.1R12 and above, HSTS support is enabled by default and is not a configurable option.  For other releases, please use the mitigation steps below:

Mitigation:

• Educate end users to always connect via https or hardcode all web links to the VPN device as https.  Once the end user makes the initial connection AND the device supports HSTS, all further connections will be HTTPS.

Max-Age, IncludeSubDomains and preload options:

By default, max-age is set for 1 year.  Starting in 8.3R3 and above, max-age can be modified from 0 to 365 days.

1. Login to the admin console
2. Navigate to System > Configuration > Security > Miscellaneous
3. Under HSTS, modify the number of days field

Additional options to enable includeSubDomains and preload in the HSTS header.