HTTP Strict Transport Security (HSTS)
Configuring HSTS ensures that all traffic with the server is done using secure HTTPS connections, instead HTTP. HSTS can be configured in the Web.config of CXO-Cockpit via the Configurator by adding the Strict-Transport-Security header to the customHeaders element in the system.webServer section.
<configuration>
:
<system.webserver>
:
<httpProtocol>
<customHeaders>
:
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
:
</customHeaders>
</httpProtocol>
:
</system.webserver>
:
</configuration>
Secure Cookies
When using HTTPS protocol for the CXO-Cockpit website, it is advised to set the following flags on cookies:
...
<configuration>
:
<system.webserver>webServer>
:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webserver>webServer>
:
</configuration>