Notification

Icon
Error

Security: HSTS Missing - The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

Posted: Wednesday, September 30, 2020 9:36:49 PM(UTC)
Grey

Grey

Member Original PosterPosts: 2
0
Like
Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
Grey attached the following image(s):
hsts lansweeper.png
Caleb
#1Caleb Member Posts: 19  
posted: 10/2/2020 12:23:38 AM(UTC)
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website
Grey
#2Grey Member Original PosterPosts: 2  
posted: 10/2/2020 2:28:03 PM(UTC)
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?
Caleb
#3Caleb Member Posts: 19  
posted: 10/2/2020 4:35:45 PM(UTC)
Originally Posted by: Grey Go to Quoted Post
Originally Posted by: Caleb Go to Quoted Post
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.c...urity-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?


Per Microsoft's documentation, something like this should work.

Code:
<site name="Lansweeper" id="1" serverAutoStart="true">
        <application path="/" applicationPool="Clr4IntegratedAppPool">
          <virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
        </application>
        <bindings>
        <binding protocol="https" bindingInformation="*:443:" />
        </bindings>
    <hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>


https://docs.microsoft.c...sts#configuration-sample

I haven't tested, so proceed with caution by making backups and testing in dev first, etc.

Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.c...t-security-protocol-hsts

Hope this helps.

Active Discussions

Lansweeper License renewal - but why
by  mrusso   Go to last post Go to first unread
Last post: Yesterday at 5:01:47 PM(UTC)
Lansweeper Deployment Package Error Message
by  Brandon  
Go to last post Go to first unread
Last post: Yesterday at 2:04:25 PM(UTC)
Lansweeper Asset Type Mail Server
by  MarkPayton   Go to last post Go to first unread
Last post: Yesterday at 1:03:54 PM(UTC)
Lansweeper Upgrade Win 10 build to version 2004
by  Jean-FB  
Go to last post Go to first unread
Last post: 10/28/2020 7:34:29 PM(UTC)
Lansweeper Uptime only shows Standby
by  Gst4r   Go to last post Go to first unread
Last post: 10/28/2020 4:19:33 PM(UTC)
Lansweeper Excepciones
by  Pablo  
Go to last post Go to first unread
Last post: 10/27/2020 7:35:21 PM(UTC)
Lansweeper Help desk API
by  Skylar@Hennig   Go to last post Go to first unread
Last post: 10/27/2020 5:01:18 PM(UTC)
Lansweeper Helpdesk API
by  Skylar@Hennig  
Go to last post Go to first unread
Last post: 10/27/2020 4:44:50 PM(UTC)