For best security practice, the Keyfactor Command web site should be configured to require SSL
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. for all access. To do this:
- Open the IIS Manager MMC snap-in.
- Navigate to the Default Web Site.
- Under the Default Web Site Home, select SSL Settings.
- On the SSL Settings page, check the Require SSL box and, under Actions, click Apply.
Important: The Keyfactor Command web application is not configured to support HTTP Strict Transport Security (HSTS) by default. HSTS is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. An application enables HSTS by returning an HTTP response header that instructs users’ browsers to only interact with the site using secure transport methods. HSTS is supported by all modern browsers. To accommodate this, configure the server to always send the Strict-Transport-Security HTTP header on HTTPS connections:
Strict-Transport-Security: max-age=31536000; includeSubDomains
The max-age parameter A parameter or argument is a value that is passed into a function in an application. is given in seconds; the value shown above is equivalent to one year.
Instructions for implementation of HSTS are beyond the scope of this guide.