Configuring transport security response headers - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1

Within Security settings in the General Configuration, you can configure strict-transport-security response headers. This is an HTTP response header that lets Gateway webpages tell browsers that it should be accessed only with the HTTPS protocol, and not with HTTP.

Attention: As a security best practice, BlueCat strongly recommends enabling this option.

For more information on Strict Transport Security response headers, see Strict-Transport-Security on the Mozilla website.

To configure Gateway security response headers:

  1. Open the General configuration window, then expand the Security section. (Click the Navigator button if necessary, then click Configurations > General configuration. Click Security at the bottom to expand the Security settings.)

  2. Scroll down to the HTTP strict transport security section, then configure the following desired content-security-policy settings:

    • To enable this feature and enforce the use of the HTTPS protocol instead of HTTP by browsers, select the Strict Transport Security checkbox.

      Doing so enables use of the strict-transport-security response header. This header tells browsers that the page should only be accessed using HTTPS.

    • In Max Age (seconds), set the number of seconds that the browser should remember that the site should be restricted to HTTPS.

      The default value is 31556926 seconds (or 365 days).

    • To specify that the rule applies to all of the site's subdomains, select the Include Subdomains checkbox.

  3. When you're done, click Save.

    To cancel your changes, click Cancel.