HTTP Strict Transport Security (HSTS) adds a layer of security to your organization's web traffic.
By default, the HSTS protocol option is turned off in ArcGIS Enterprise on Kubernetes.
While ArcGIS Enterprise on Kubernetes only allows communication over HTTPS, it is still potentially vulnerable to a class of security attacks known as SSL stripping. This type of attack exploits the absence of a command from the site to the web browsers of your users informing them to only use HTTPS requests.
If an attacker runs an inauthentic copy of your ArcGIS Enterprise on Kubernetes deployment on the same port and intercepts an initial HTTP request from a user's browser, they can potentially receive compromising security information from the user.
To close this vulnerability to SSL stripping attacks, the HSTS protocol configures your site to provide this security command back to users' web browsers.
Turn on HSTS
You can turn HSTS on or off at any time using ArcGIS Enterprise Manager.
- Sign in to ArcGIS Enterprise Manager.
- Click the Security page tab.
- Click the TLS Certificates tab.
- Under TLS Properties, turn on the HTTP Strict Transport Security (HSTS) toggle button
You can turn off HSTS in the same way.