This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security: HSTS Missing

George_howe
Engaged Sweeper

‎09-30-2020 10:36 PM

Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
Labels:
Preview file
56 KB
0 Kudos
4 REPLIES 4
emmy
Engaged Sweeper

Thursday

HSTS (HTTP Strict Transport Security) is not enabled by default in Lansweeper. To address the scan finding, you can enable the Strict Transport Security header at the web server or proxy level (IIS, Nginx, or Apache) that serves Lansweeper. This will force all traffic over HTTPS and prevent downgrade attacks. It’s a good idea for Lansweeper to include this in future patches, but meanwhile, you can safely add the header manually at the server layer. I hope it helps!

0 Kudos
Caleb
Engaged Sweeper III

‎10-02-2020 01:23 AM

If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website
0 Kudos
George_howe
Engaged Sweeper
In response to Caleb

‎10-02-2020 03:28 PM

Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?
0 Kudos
Caleb
Engaged Sweeper III
In response to George_howe

‎10-02-2020 05:35 PM

Grey wrote:
Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website


How does this apply to the default IIS Express, which does not have the standard IIS manager?


Per Microsoft's documentation, something like this should work.

<site name="Lansweeper" id="1" serverAutoStart="true">
        <application path="/" applicationPool="Clr4IntegratedAppPool">
          <virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
        </application>
        <bindings>
        <binding protocol="https" bindingInformation="*:443:" />
        </bindings>
    <hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>


https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts#configuration-sample

I haven't tested, so proceed with caution by making backups and testing in dev first, etc.

Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#http-strict-transport-security-protocol-hsts

Hope this helps.

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now