HSTS Missing from HTTPS Server fix for SharePoint web application

Question

Hi,

I found below finding when did Security scan of SharePoint Internet facing site

HSTS Missing from HTTPS Server:

1.How to enable HSTS for SharePoint site and if i enable is any impact to SharePoint site

2.is it can be a configuration change web application config file?

Answer 1

Hi @adil，

You can enable it via the web.config in IIS as shown in How to enable HTTP Strict Transport Security (HSTS) in IIS7+

Once the browser is aware that a domain has enabled HSTS, it:

Always use a https:// connection, including when clicking on an http:// link or after typing a URL into the address bar without specifying a protocol.

Removes the ability for users to click through warnings (for example, expired, or invalid certificates, name mismatches, etc.).

There are some scenarios (for example, user has a new computer, new profile, new browser or has cleared browser data and settings) where a user is vulnerable for a short period of time because they're visiting the site for the first time without HSTS being enforced. To address these scenarios, the Chromium project maintains an HSTS Preload List (which is also used by other browsers like Microsoft Edge and Mozilla Firefox). The Preload List enforces HSTS even when visiting a site for the first time.

You can submit your domain to the HSTS list. The webserver must also send the preload directive as part of the Strict-Transport-Security header to signal that HSTS preloading should be performed by the browser.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.