Even when your ArcGIS Server site's web protocol is set to HTTPS Only, it is still potentially vulnerable to a class of security attacks known as SSL stripping. This type of attack exploits a lack of communication from the site to the web browsers of your users, informing them to only use HTTPS requests. If an attacker runs a fake copy of your ArcGIS Server site on port 80 and intercepts an initial HTTP request from a user's browser, they could potentially receive compromising security information from the user.
To close this vulnerability to SSL stripping attacks, the HTTP Strict Transport Security (HSTS) protocol configures your site to provide this communication back to users' web browsers. HSTS can be enabled in an ArcGIS Server 10.9 site.
Enable HSTS in your site
Starting in 10.6.1, the security configuration string in the site's ArcGIS Server Administrator Directory contains a Boolean property HSTSEnabled, which is set to false by default. When this property is updated to true, the ArcGIS Server site tells web browsers to only send requests using secure HTTPS. This is done using a header, Strict-Transport-Security, directing the browser to strictly use HTTPS requests for the subsequent period of time defined by its max-age property (which is given in seconds). This duration is set to one year: Strict-Transport-Security: max-age=31536000.
If your users access your ArcGIS Server site through your ArcGIS Web Adaptor or a reverse proxy server, enforcing HSTS in your site may have unintended consequences. In accordance with the header sent by HSTS protocol, users' web browsers will only send HTTPS requests to these devices; if the web server hosting your ArcGIS Web Adaptor or the reverse proxy server is simultaneously hosting other applications that do not use HTTPS, users will be unable to access those other applications. Ensure that these dependencies do not exist before enabling HSTS.
To enable HSTS in your ArcGIS Server site, follow these steps.
- Sign in to your ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin.
- Browse to security > config > update.
- If the Protocol parameter is not already set to HTTPS Only, set it now.
- When HTTP communication is disabled by the site protocol, the HTTP Strict Transport Security (HSTS) enabled option will be available. Check this box to enable HSTS, and click Update.
- Once the server site restarts, it begins returning the Strict-Transport-Security header to all web browsers sending requests to the site.
HTTP Strict Transport Security can also be enabled in an ArcGIS Enterprise portal.