IIS 7.5 and IIS 8.0 European Hosting

BLOG about IIS 7.5 Hosting, IIS 8.0 Hosting and Its Technology - Dedicated to European Windows Hosting Customer

European IIS 8.5 Hosting - HostForLIFE.eu :: How to Enable HTTP Strict-Transport-Security (HSTS) on IIS

clock December 22, 2016 06:04 by author Scott

In this article, we will only show simple tutorial about how to enable and serve HTTP Strict Transport Security (HSTS) response header in IIS.

Definition HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.

HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking.

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address.

All you need to add to your web.configconfiguration file is an Outbound Rule, to rewrite request responses and sending the HTTP Strict Transport Security response header:

<outboundRules>
  <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
    <conditions>
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    </conditions>
    <action type="Rewrite" value="max-age=31536000" />
  </rule>
</outboundRules>

HSTS and includeSubdomains #

Do you have your SSL (TLS) certificate on your www. subdomain? Then you need to include it using includeSubdomains. The outboundRules rule then becomes:

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
  <conditions>
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
  </conditions>
  <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>

HSTS header in WordPress functions.php #

You can set a HSTS header through your functions.php theme file as well. For this to happen, you can hook into the send_headers action.

Use the following code in your functions.php to send a HSTS header:

<?php
add_action( 'send_headers', 'saotn_add_hsts_header' );
function saotn_add_hsts_header() {
  header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}



European IIS Hosting - HostForLIFE.eu :: How to Check Trace is Enabled on IIS Server

clock December 9, 2016 07:33 by author Scott

Trace \ Track is a vulnerability that is usually identified on an IIS server when we run PCI compliance and find this vulnerability. A hacker can run a Trace attack on IIS Website and get information about the Backend server and other important information.

In latest versions on IIS (IIS 6.0, 7.5) Trace is disabled by default but still it is good idea to make sure that Trace is disabled on IIS.

Testing if Trace \ Track is Enabled on a IIS website or not

Follow these steps :

1. Go to command Prompt of your Machine.
2. Type telnet <URL of the website> 80 (this will open a telnet session of that website on port 80)
3. Type following commands on the telnet session screen in exact same order: 

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    TestA: Hello
    TestB: World


4. Press enter twice. 

If Trace is enabled on your server, you should see following results:

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    Date: Tue, 05 Dec 2016 08:17:15 GMT
    Content-Type: message/http
    Content-Length: 76 


And If you receive following results on the telnet screen, then Trace is enabled :

     HTTP/1.1 501 Not Implemented
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Tue, 06 Dec 2016 09:32:58 GMT
    Content-Length: 1508


    Connection: close

Disabling Trace or Track on IIS

The easiest way to mitigate the risk of Trace \ Track on iis is  : installing URLScan from Microsoft, 
The urlscan.ini file is included as part of URLScan . This sets by default a configuration setting "UseAllowVerbs=1".  In this [AllowVerbs] section of the ini file, only http methods that are allowed are GET, HEAD, and POST so simply by installing URLScan on an IIS server , we can assume that it  protected from TRACE or TRACK.  

 



About HostForLIFE.eu

HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

We have offered the latest Windows 2012 Hosting, ASP.NET 4.5 Hosting, ASP.NET MVC 5 Hosting, and SQL 2014 Hosting.

Tag cloud

Sign in