Chat now with support
Chat with Support

Identity Manager 8.1.5 - Web Application Configuration Guide

About this guide Configuring the Web Portal WebAuthn security keys Starling Two-Factor Authentication Password Reset Portal Recommendations for secure operation of web applications

Using HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections. is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. For example, a server could send a header "Strict-Transport-Security" to the user's browser such that in future, at a defined time (max-age), this domain should exclusively use encrypted connections. This setting can be optionally extended by the parameter includeSubDomains to all subdomains. This means that not only https://example.org is taken into account but also https://subdomains.example.org.

To enable HSTS

  1. Open the configuration file web.config for the chosen web application.
  2. Set the HTTP Response Header to Strict-Transport-Security and the value maxage = expireTime.

    For more detailed information about setting the HTTP Response Header, see https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts.

Disabling insecure encryption mechanisms

It is recommended that you disable all unnecessary encryption methods and protocols on the grounds of security. If you disable redundant protocols and methods, older platforms and systems may not be able to establish connections with web applications anymore. Therefore, you must decide which protocols and methods are necessary, based on the platforms required.

NOTE: The software "IIS Crypto" from Nartac Software is recommended for disabling encryption methods and protocols.

For more information about disabling encryption, see https://www.nartac.com/Products/IISCrypto.

Detailed information about this topic

Setting the "HttpOnly" attribute for ASP.NET session cookies

To prevent cookies being manipulated by JavaScript and to reduce the risk of cross-site scripting attacks and cook theft, you can set the so called "HttpOnly" attribute for your ASP.NET session cookies. This means that cookies can no longer be used by client-side scripts.

To set the "HttpOnly" attribute for ASP.NET session cookies

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <system.web>
    <httpCookies httpOnlyCookies="true"/>
</system.web>

  3. Save the file.

Related topics

Setting the "same-site" attribute for ASP.NET session cookies

To prevent cross-site request forgery (CSRF), you can set the same-site attribute for your ASP.NET session cookies.

To set the same site attribute for all .NET versions from 4.7.2.

  1. Open the configuration file web.config for the chosen web application.

  2. Enter the following code snippet in the <configuration> section:

    <system.web>
    <httpCookies sameSite="Strict" />
</system.web>

  3. Save the file.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating