cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
George_howe
Engaged Sweeper
Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
3 REPLIES 3
Caleb
Engaged Sweeper III
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website
Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?
Caleb
Engaged Sweeper III
Grey wrote:
Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?


Per Microsoft's documentation, something like this should work.

<site name="Lansweeper" id="1" serverAutoStart="true">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
</application>
<bindings>
<binding protocol="https" bindingInformation="*:443:" />
</bindings>
<hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>


https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts#configuration-sample

I haven't tested, so proceed with caution by making backups and testing in dev first, etc.

Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#http-strict-transport-security-protocol-hsts

Hope this helps.