HSTS Strict Transport Security set to a invalid value

Stefan Sturm asked on April 26, 2017 15:32

Hello,

in Kentico is there any place where the HSTS strict-transport-security max-age value is set when SSL is set to required on root page in CMS (Pages -> Security -> Access)?

Because we have a invalide value on that parameter.

HSTS is neither configured in web.config nor in IIS.

Kentico version 8.1.17

Correct Answer

Brenden Kehren answered on April 27, 2017 13:14

Sorry for the indirect answer. There is no one setting that will set that value in Kentico.

1 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on April 26, 2017 17:58

Be sure to have your requires SSL on your master page and it will inherit on the rest of the content page. For the UI, you may need to enable SSL on the admin interface as well in Settings>Security & Membership>Administration.

Lastly, you can use IIS + the IIS Rewrite module to enforce this by adding a HTTP response header

0 votesVote for this answer Mark as a Correct answer

Stefan Sturm answered on April 27, 2017 12:56 (last edited on April 27, 2017 13:03)

Hello Brenden,

thanks for your time.

The option "reqires SSL" is configured on the masterpage - inheritance is working properly.

Under "Settings->Security & Membership->" there is no "Administration" available in Kentico 8.1.17.

But i don't think this is answering my question.

So:

Does Kentico set, at any point, the "strict-transport-security -> max-age value" or comes this from a server configuration?

Kind regards stefan

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.