Notification

Icon
Error

Security: HSTS Missing - The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

Posted: Wednesday, September 30, 2020 9:36:49 PM(UTC)
Grey

Grey

Member Original PosterPosts: 2
0
Like
Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
Grey attached the following image(s):
hsts lansweeper.png
Caleb
#1Caleb Member Posts: 19  
posted: 10/2/2020 12:23:38 AM(UTC)
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website
Grey
#2Grey Member Original PosterPosts: 2  
posted: 10/2/2020 2:28:03 PM(UTC)
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?
Caleb
#3Caleb Member Posts: 19  
posted: 10/2/2020 4:35:45 PM(UTC)
Originally Posted by: Grey Go to Quoted Post
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?


Per Microsoft's documentation, something like this should work.

Code:
<site name="Lansweeper" id="1" serverAutoStart="true">
        <application path="/" applicationPool="Clr4IntegratedAppPool">
          <virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
        </application>
        <bindings>
        <binding protocol="https" bindingInformation="*:443:" />
        </bindings>
    <hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>


https://docs.microsoft.c...sts#configuration-sample

I haven't tested, so proceed with caution by making backups and testing in dev first, etc.

Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.c...t-security-protocol-hsts

Hope this helps.

Active Discussions

Lansweeper INFO DateTimeService time refresh
by  miharix   Go to last post Go to first unread
Last post: Today at 10:48:57 AM(UTC)
Lansweeper RPC Unavailable error
by  Greeno  
Go to last post Go to first unread
Last post: Yesterday at 7:15:07 PM(UTC)
Lansweeper Exclude Search
by  pryan67  
Go to last post Go to first unread
Last post: 6/16/2021 4:01:43 PM(UTC)
Lansweeper Report: All Apple Mac devices with Memory RAM asset
by  gabrielo   Go to last post Go to first unread
Last post: 6/16/2021 3:17:24 PM(UTC)
Lansweeper Does technical support for LS really respond?
by  tosch  
Go to last post Go to first unread
Last post: 6/16/2021 12:48:50 PM(UTC)
Lansweeper Deployment packages using lsagent
by  CyberCitizen   Go to last post Go to first unread
Last post: 6/15/2021 11:44:33 PM(UTC)
Lansweeper Helpdesk tabs always regenarated
by  Carla  
Go to last post Go to first unread
Last post: 6/14/2021 9:49:27 PM(UTC)