HTTPS Strict-Transport Security (HSTS)

Enabling HSTS for the CLM

CAUTION Security Risk

Without HSTS, a browser that receives an invalid TLS certificate displays a warning that the user can circumvent. If HSTS is enabled, however, the browser blocks CLM access, and does not allow the user to circumvent the warning.

If HSTS is enabled, the system administrator must monitor and manage the TLS certificates carefully to ensure that, for example, a certificate is not expired, self-signed, or signed by an unknown CA.

HSTS is a mechanism that returns a header with specific instructions for any browser that attempts to connect using HTTP. The HSTS header instructs the browser to access the site using HTTPS instead of HTTP for all subsequent connections to the site or any child domain.

When HSTS is enabled, all CLM web interfaces are protected.

Note: HSTS is disabled by default in a CLM system, and can be enabled only during system installation; you cannot enable HSTS in a deployed CLM system.

HSTS TLS certificate management

In addition to ensuring that the current TLS certificate recognized by HSTS is not expired or nearing expiry, the same level of security must be applied to a certificate that replaces an expired certificate.

For example, if HSTS is enabled in the CLM, and you then change from a trusted root-CA-signed certificate to a self-signed certificate, browsers that attempt to connect to the CLM may prevent access because the new certificate is not trusted.

Configuring HSTS

You can enable HSTS during CLM system installation in the hsts section of the CLM configuration file.

Note: HSTS is disabled by default.