在 IIS 設定 HSTS 標頭

HSTS 對於公司專案內的部分單位而言幾乎是毫無作用，因為使用的瀏覽器不支援，所以此次被掃出來。

Insecure Transport: HSTS not Set ( 11365 )

Summary

Http Strict Transport Security (HSTS) policy enables web applications to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Policy is declared via special Strict Transport Security response header. Encrypted connection protects sensitive user and session data from attackers eavesdropping on network connection.
Consider following attack scenarios:

• Users often omit the URI scheme i.e. https:\\ when typing a URL in location bar to access a website. Also third party websites can link to the site using the “http” scheme instead of “”https”. This could result in an initial connection to a HTTPS-enabled site over an unencrypted channel. An eavesdropping attacker can hijack this unencrypted connection and replace the intended use of HTTPS protocol with HTTP in an attack known as SSLStrip, granting unauthorized access to all subsequent traffic.

• Websites often transfer non-sensitive resources such as help documents over an unencrypted HTTP connection. Any cookies without a secure flag are sent along with such requests potentially disclosing sensitive user and session data to eavesdropper.

• Man-in-the-Middle attacks that exploit user tendencies to override invalid certification warnings, e.g. SSLSniff.

For web sites configured with an accurate HSTS policy, browsers automatically upgrade any HTTP connections to HTTPS. Furthermore, browsers prevent users from overriding any host certificate warnings. HSTS offers an effective defense against above attack scenarios.

HSTS 介紹

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
資料來源 - MDN

HSTS(HTTP Strict Transport Security) 是一份國際標準規格 (RFC 6797) 網際網路瀏覽安全的機制，主要用來宣告瀏覽器與伺服器之間的通訊方式必須強制使用 TLS/SSL 加密通道，只要從伺服器端送出一個 Strict-Transport-Security 標頭 (Header) 給瀏覽器，就可以告訴瀏覽器在未來的某段時間內一律使用 SSL 連接該網站 (可設定包含所有子域名網站)，如果有發生憑證失效的情況，使用者將無法瀏覽該網站，如此一來便可大幅減少中間人攻擊的問題發生。

IIS 的設定

此篇設定在 scott 的文章中提過，也詳細說明了如何設定，因為 HSTS 必須在 HTTPS 的 head 去附加才符合規範，比較好的做法是透過 Rewrite 設定條件式來附加，如下所示

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

參考資料

• MDN HSTS
• Wiki HSTS
• Can I Use:HSTS
• OWASP HSTS
• SCOTT HANSELMAN