Is HSTS Missing From Your HTTPS Server? Why It Matters and How to Implement It

Ensuring your website is secure is paramount in today’s digital landscape. While HTTPS encryption is a fundamental step, it’s not always enough. One crucial security measure that might be missing from your HTTPS server is HTTP Strict Transport Security (HSTS). This article delves into why HSTS is essential, how to detect if it’s missing, and provides a comprehensive guide to implementing it, particularly within the context of Exchange Server.

Understanding HSTS and Why It’s Crucial for HTTPS Security

HTTP Strict Transport Security (HSTS) is a vital web security policy mechanism that enforces browsers to interact with a website exclusively over secure HTTPS connections. It’s standardized and documented in RFC 6797, and plays a significant role in protecting website visitors.

When a web server with HSTS enabled sends a Strict-Transport-Security header to a browser over an HTTPS connection, it instructs the browser to remember this policy for a specified duration, defined by the max-age directive in seconds. From that point forward, the browser will automatically convert any attempts to access the site via HTTP to HTTPS, ensuring all communication is encrypted.

Benefits of HSTS

• Enhanced Security: HSTS effectively mitigates various attack vectors, most notably man-in-the-middle attacks that attempt to downgrade connections from HTTPS to HTTP. By enforcing HTTPS, HSTS closes the door to such exploits.
• Reduced Reliance on HTTP Redirects: Traditionally, websites redirect users from HTTP to HTTPS using HTTP 302 redirects. While functional, these redirects are vulnerable during the initial HTTP connection. HSTS eliminates this vulnerability by instructing the browser to directly use HTTPS, thus removing the need for insecure redirects after the initial HSTS policy is set.
• Improved Performance (Slight): Although not its primary goal, HSTS can contribute to minor performance improvements by eliminating the server-side redirect process. The browser directly initiates an HTTPS connection, potentially speeding up initial page loads after the policy is established.

Risks of Missing HSTS

If HSTS is missing from your HTTPS server, you leave potential vulnerabilities open:

• Downgrade Attacks: Without HSTS, the initial HTTP connection is susceptible to downgrade attacks, where attackers can intercept the connection and force the browser to communicate over unencrypted HTTP.
• Session Hijacking: If a user inadvertently accesses your site via HTTP (e.g., by typing http:// or clicking an old link), their session could be hijacked before the redirect to HTTPS occurs.
• Compliance and Best Practices: Modern security standards and compliance frameworks often recommend or require HSTS as a fundamental security control for websites handling sensitive information.

Diagnosing the “HSTS Missing” Issue

Before implementing HSTS, it’s essential to verify if it’s already configured on your server. Several online tools and browser developer tools can assist in this diagnosis.

Using Browser Developer Tools

Modern browsers like Chrome, Firefox, and Edge have built-in developer tools that allow you to inspect HTTP headers. Here’s how to check for the Strict-Transport-Security header:

1. Open Developer Tools: In your browser, open developer tools (usually by pressing F12).
2. Navigate to the Network Tab: Go to the “Network” tab.
3. Access Your Website: Enter your website’s URL (using HTTPS) in the address bar and load the page.
4. Inspect Headers: Find the main request for your website (usually the first entry in the Network tab). Click on it and go to the “Headers” tab.
5. Check for Strict-Transport-Security: Look for the Strict-Transport-Security header in the “Response Headers” section. If it’s present, HSTS is enabled. If it’s absent, HSTS is missing.

Online HSTS Checkers

Numerous online tools can scan your website and check for the presence of the HSTS header. Simply search for “HSTS checker” on your preferred search engine to find and use these tools.

Common Reasons for HSTS Missing

• Default Configuration: HSTS is not enabled by default on most web servers. It requires explicit configuration.
• Misconfiguration: Even if administrators intend to enable HSTS, misconfiguration in server settings or reverse proxies can lead to it being absent.
• Lack of Awareness: Some website administrators may be unaware of HSTS and its security benefits, leading to its omission.

Implementing HSTS on Your HTTPS Server

Enabling HSTS involves configuring your web server to send the Strict-Transport-Security header in its HTTPS responses. The configuration method varies depending on your server software. Below, we focus on implementing HSTS on Exchange Server, a common platform where ensuring secure communication is critical.

HSTS Implementation on Exchange Server

The following methods detail how to enable HSTS on Exchange Server 2019 and 2016. It’s crucial to configure HSTS on the Default Web Site in IIS, as this is the primary endpoint for client connections. Do not configure HSTS on the Exchange Back End site. Consider also configuring HSTS on load balancers or reverse proxies in front of Exchange Server.

Exchange Server 2019

You can enable HSTS on Exchange Server 2019 using either PowerShell or the IIS Manager UI.

HSTS Configuration via PowerShell (Exchange Server 2019)

Open an elevated PowerShell window and execute the following commands:

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$sitesCollection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection
$siteElement = Get-IISConfigCollectionElement -ConfigCollection $sitesCollection -ConfigAttribute @{"name"="Default Web Site"}
$hstsElement = Get-IISConfigElement -ConfigElement $siteElement -ChildElementName "hsts"

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "enabled" -AttributeValue $true
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "max-age" -AttributeValue 300
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "includeSubDomains" -AttributeValue $true

To include the preload directive (recommended if you plan to submit to the HSTS Preload List), use:

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "preload" -AttributeValue $true

Complete the configuration with:

Stop-IISCommitDelay
Remove-Module IISAdministration

HSTS Configuration via IIS Manager (Exchange Server 2019)

1. Open IIS Manager (InetMgr.exe).

2. Navigate to Sites > Default Web Site.

3. In the Actions pane, click HSTS....

   Alt Text: HSTS settings option highlighted in the Actions menu within IIS Manager for the Default Web Site.

4. Check Enable.

5. Set Max-age to 300 (for initial testing, increase later).

6. Select IncludeSubDomains as needed.

7. Check Preload if planning to submit to the HSTS Preload List.

   Alt Text: HSTS configuration window in IIS Manager showing options for Enable, Max-age, IncludeSubDomains, and Preload directives.

8. Click OK.

Exchange Server 2016

HSTS configuration on Exchange Server 2016 is primarily done through PowerShell.

HSTS Configuration via PowerShell (Exchange Server 2016) – Windows Server 2012 & 2012 R2

For Windows Server 2012 and 2012 R2, use these commands. Without preload:

Import-Module WebAdministration
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath "IIS:SitesDefault Web Site" -Name . -AtElement @{name="Strict-Transport-Security"} -Value @{name="Strict-Transport-Security";value="max-age=300; includeSubDomains"}

With preload:

Import-Module WebAdministration
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath "IIS:SitesDefault Web Site" -Name . -AtElement @{name="Strict-Transport-Security"} -Value @{name="Strict-Transport-Security";value="max-age=300; includeSubDomains; preload"}

HSTS Configuration via PowerShell (Exchange Server 2016) – Windows Server 2016

For Windows Server 2016, use these commands. Without preload:

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$iisConfig = Get-IISConfigSection -SectionPath "system.webServer/httpProtocol" -CommitPath "Default Web Site" | Get-IISConfigCollection -CollectionName "customHeaders"

New-IISConfigCollectionElement -ConfigCollection $iisConfig -ConfigAttribute @{"name"="Strict-Transport-Security"; "value"="max-age=300; includeSubDomains";}

With preload:

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$iisConfig = Get-IISConfigSection -SectionPath "system.webServer/httpProtocol" -CommitPath "Default Web Site" | Get-IISConfigCollection -CollectionName "customHeaders"

New-IISConfigCollectionElement -ConfigCollection $iisConfig -ConfigAttribute @{"name"="Strict-Transport-Security"; "value"="max-age=300; includeSubDomains; preload";}

Complete the configuration with:

Stop-IISCommitDelay
Remove-Module IISAdministration

Recommended max-age Values and Rollout Strategy

Start with a low max-age value like 300 seconds (5 minutes) for initial testing. Monitor client connectivity closely. Gradually increase the max-age in stages:

1. 300 seconds (5 minutes): Initial testing phase.
2. 604800 seconds (1 week): Mid-term rollout.
3. 2592000 seconds (1 month): Further rollout.
4. 31536000 seconds (1 year): Minimum recommended for production and HSTS Preload List submission.
5. 63072000 seconds (2 years): Recommended long-term value.

Wait for the full max-age duration at each stage before moving to the next.

Verifying HSTS Implementation

After enabling HSTS, validate its proper function using browser tools:

1. Access your site via HTTPS: Open a browser and navigate to your Exchange server’s OWA or ECP URL using HTTPS (e.g., https://mail.yourdomain.com/owa). Ensure the certificate is valid and trusted.

2. Open edge://net-internals/#hsts (for Microsoft Edge/Chrome): Type this into the address bar and press Enter.

3. Query your domain: Enter your domain name in the Query HSTS/PKP domain box and press Enter.

   Alt Text: Microsoft Edge browser’s HSTS query tool input field for domain verification.

• “Not found” result: HSTS is not active for the domain, either not configured or policy expired.

• “Found” result: HSTS is active, showing policy details like max-age, includeSubDomains, and preload.

  Alt Text: Microsoft Edge browser’s HSTS query tool displaying successful results, indicating HSTS is enabled with policy details.

HSTS Blocking Untrusted Connections

If HSTS is active and a connection is not trusted (e.g., invalid certificate), browsers will display a non-bypassable warning:

Microsoft Edge Blocking Page:

Alt Text: Microsoft Edge browser displaying a full-page error indicating HSTS is preventing access due to an insecure connection.

Mozilla Firefox Blocking Page:

Alt Text: Mozilla Firefox browser showing an error page stating that the browser has detected a potential security threat and is blocking access due to HSTS policy.

Disabling HSTS on Exchange Server

If you need to disable HSTS, follow these steps for Exchange Server 2019 and 2016.

Exchange Server 2019

Disable HSTS via PowerShell (Exchange Server 2019)

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$sitesCollection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection
$siteElement = Get-IISConfigCollectionElement -ConfigCollection $sitesCollection -ConfigAttribute @{"name"="Default Web Site"}
$hstsElement = Get-IISConfigElement -ConfigElement $siteElement -ChildElementName "hsts"

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "enabled" -AttributeValue $false
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "max-age" -AttributeValue 0
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "includeSubDomains" -AttributeValue $false
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "preload" -AttributeValue $false # If preload was enabled

Stop-IISCommitDelay
Remove-Module IISAdministration

Disable HSTS via IIS Manager (Exchange Server 2019)

1. Open IIS Manager.

2. Navigate to Sites > Default Web Site.

3. Click HSTS... in the Actions pane.

4. Uncheck Enable.

5. Set Max-age to 0.

6. Uncheck all other directives.

   Alt Text: HSTS configuration window in IIS Manager displaying all options unchecked and Max-age set to 0, indicating HSTS is disabled.

7. Click OK.

Exchange Server 2016

Disable HSTS via PowerShell (Exchange Server 2016) – Windows Server 2012 & 2012 R2

Import-Module WebAdministration
Remove-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.webServer/httpProtocol/customHeaders" -Name . -AtElement @{name="Strict-Transport-Security"}

Disable HSTS via PowerShell (Exchange Server 2016) – Windows Server 2016

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$iisConfig = Get-IISConfigSection -SectionPath "system.webServer/httpProtocol" -CommitPath "Default Web Site" | Get-IISConfigCollection -CollectionName "customHeaders"

Remove-IISConfigCollectionElement -ConfigCollection $iisConfig -ConfigAttribute @{"name"="Strict-Transport-Security"; "value"="max-age=300; includeSubDomains; preload"} # or without preload if preload was not enabled

Stop-IISCommitDelay
Remove-Module IISAdministration

Important: If you are disabling HSTS and had submitted your domain to the HSTS Preload List, remember to request removal from the list (https://hstspreload.org/removal/).

Conclusion

Ensuring HSTS is enabled on your HTTPS server is a critical step in bolstering your website’s security posture. By proactively enforcing HTTPS connections, you protect your visitors from downgrade attacks and session hijacking, while aligning with security best practices. Regularly check for the presence of the Strict-Transport-Security header and implement HSTS across your web infrastructure, including Exchange Servers, to create a safer online environment. Take action today to eliminate the risk of “Hsts Missing From Https Server” and enhance your website’s security.