Profile cover photo
Profile photo
Rogger Matamoros
20 followers -
Software engineer. Design enthusiast. Day trader du jour. Aspiring l33t financier with bravado.
Software engineer. Design enthusiast. Day trader du jour. Aspiring l33t financier with bravado.

20 followers
About
Rogger's posts

Some Notes on HSTS

HSTS or HTTP Strict Transport Security is, quoth Wikipedia, "is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol."

There are 3 main directives:
- max-age
- includeSubDomains
- preload

The first, max-age, is an integer that specifies for how long the browser will convert HTTP requests onto a given domain into HTTPS. Units are seconds. Mozilla's guidelines state the minimum value is 15768000 or 6 months.
The second, includeSubDomains, indicates that all subdomains must also follow HSTS and be transported using HTTPS.
The third, preload, allows the domain to be added into the browser's "Preload List."

Implementing HSTS in IIS/Azure
I am using an instance of Wordpress' Wordpress (sounds weird but had to clarify; there are Wordpress 'apps' on the Azure Marketplace from third parties), which uses IIS as its web server. In hindsight, I wish I had used one of the LAMP (Linux + Apache + MySQL + PHP) apps I've since seen from third parties, but I digress.

Since HSTS is an HTTP header, it means that IIS must be modified. This is done through the web.config file, found at the web root folder of the Azure app. I have not yet found a way to modify Azure server files directly through some Azure web interface, so I will stick to ye olde faithful FTP. The FTP address, as well as the app's user credentials can be found in the Properties section of the Settings menu.

Aside, it appears that Visual Studio Team Services can be used to modify files directly if it is configured as a Continuous Integration deployment source. Link: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-continuous-delivery-use-vso/

On the web.config file found in the web app's root directory, modify it according to the suggestions of this ServerFault page: http://serverfault.com/questions/417173/enable-http-strict-transport-security-hsts-in-iis-7

Upload the new web.config file back to Azure, and voila, success!

Post has attachment

Protip: Its about what you do, not what you say.

Post has attachment
Facebook recruiting. Only at UNC-C.
Photo

Does not know what to do in Google+
Wait while more posts are being loaded