HTTPS Strict-Transport Security (HSTS)

Enabling HSTS for the NSP

CAUTION Security Risk

Without HSTS, a browser that receives an invalid TLS certificate displays a warning that the user can circumvent. If HSTS is enabled, however, the browser blocks NSP access, and does not allow the user to circumvent the warning.

If HSTS is enabled, the system administrator must monitor and manage the TLS certificates carefully to ensure that, for example, a certificate is not expired, self-signed, or signed by an unknown CA.

HSTS is a mechanism that returns a header with specific instructions for any browser that attempts to connect using HTTP. The HSTS header instructs the browser to access the site using HTTPS instead of HTTP for all subsequent connections to the site or any child domain.

When HSTS is enabled, all NSP web interfaces are protected.

Note: HSTS is disabled by default in an NSP system, and can be enabled only during system installation; you cannot enable HSTS in a deployed NSP system.

HSTS TLS certificate management

In addition to ensuring that the current TLS certificate recognized by HSTS is not expired or nearing expiry, the same level of security must be applied to a certificate that replaces an expired certificate.

For example, if HSTS is enabled in the NSP, and you then change from a trusted root-CA-signed certificate to a self-signed certificate, browsers that attempt to connect to the NSP may prevent access because the new certificate is not trusted.

Configuring HSTS

You can enable HSTS during NSP system installation in the hsts section of the NSP configuration file.

Note: HSTS is disabled by default.

NFM-P HSTS configuration

You can enable HSTS during NFM-P installation using the samconfig utility on a main server.