Notification

Icon
Error

Security: HSTS Missing - The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

Posted: Wednesday, September 30, 2020 9:36:49 PM(UTC)
Grey

Grey

Member Original PosterPosts: 2
0
Like
Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
Grey attached the following image(s):
hsts lansweeper.png
Caleb
#1Caleb Member Posts: 19  
posted: 10/2/2020 12:23:38 AM(UTC)
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website
Grey
#2Grey Member Original PosterPosts: 2  
posted: 10/2/2020 2:28:03 PM(UTC)
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?
Caleb
#3Caleb Member Posts: 19  
posted: 10/2/2020 4:35:45 PM(UTC)
Originally Posted by: Grey Go to Quoted Post
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?


Per Microsoft's documentation, something like this should work.

Code:
<site name="Lansweeper" id="1" serverAutoStart="true">
        <application path="/" applicationPool="Clr4IntegratedAppPool">
          <virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
        </application>
        <bindings>
        <binding protocol="https" bindingInformation="*:443:" />
        </bindings>
    <hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>


https://docs.microsoft.c...sts#configuration-sample

I haven't tested, so proceed with caution by making backups and testing in dev first, etc.

Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.c...t-security-protocol-hsts

Hope this helps.

Active Discussions

Lansweeper Lansweeper Errors - Licencing and scanning
by  dnkleaf   Go to last post Go to first unread
Last post: Yesterday at 1:02:13 PM(UTC)
Lansweeper Search for Blank Fields
by  CS Caritas Socialis IT  
Go to last post Go to first unread
Last post: Yesterday at 12:19:05 PM(UTC)
Lansweeper Uninstalled software still listed
by  Dennis Gewillig   Go to last post Go to first unread
Last post: Yesterday at 9:19:19 AM(UTC)
Lansweeper Computer Aging Report with Year and Month using Purchase Date
by  wyl sg  
Go to last post Go to first unread
Last post: Yesterday at 5:19:32 AM(UTC)
Lansweeper Software deployment initiated by user
by  LS_enthusiast_4444  
Go to last post Go to first unread
Last post: 11/26/2020 9:28:18 PM(UTC)
Lansweeper Help Desk not disabling for regular users?
by  FrankSc   Go to last post Go to first unread
Last post: 11/26/2020 8:18:38 PM(UTC)
Report Center Default Browser and Version
by  RC62N  
Go to last post Go to first unread
Last post: 11/26/2020 8:00:54 PM(UTC)