HTTP Strict Transport Security (HSTS)

Description

HTTP Strict Transport Security (HSTS) is a web security policy mechanism defined in RFC 6797. The SonicOS management web server returns the Strict-Transport-Security response header automatically on every HTTPS response. The behaviour is hard-coded in the firmware and there is no administrator-facing option to enable, disable, or tune the policy. This article explains how to verify that the header is being emitted, how to interpret scanner findings that claim HSTS is not enabled, and what to do when the scan output disagrees with the firmware behaviour.

Background: RFC 6797 Directives
HSTS is delivered through the Strict-Transport-Security HTTP response header and is only honored when received over HTTPS. RFC 6797 defines three directives. max-age sets the policy lifetime in seconds and is the only required directive; 31536000 (one year) is the recommended steady-state value. includeSubDomains extends the policy to every subdomain of the host and should only be enabled once every management subdomain serves HTTPS with a valid certificate. preload signals consent for inclusion in browser preload lists; consider it only after the policy is stable and the deployment meets the published preload list requirements.

Management Settings Reference
Figure 1 below shows the Management tab as it appears on current Gen 7 and Gen 8 firmware. The visible controls cover HTTPS Port, Certificate Selection, Allow management via HTTP, and related backend and SSH settings. There is no HSTS toggle on this page. HSTS is hard-coded into the SonicOS web management process and is emitted on every HTTPS response, so there is no administrator-facing setting to configure, override, or remove.


Verification
Figure 2 below shows the SonicOS management interface and the corresponding Chrome DevTools Network panel. The Strict-Transport-Security response header is visible with a one-year max-age and the includeSubDomains directive, confirming that the default enforcement is in effect. This output is the evidence that can be attached to a scanner remediation ticket.


Support
For implementation assistance, we are here to help at Contact Support.

Related Articles

  • GVC : Degraded Internet throughput from local ISP even though connected in Split tunnel
    Read More
  • Guest Services Policy page without Authentication broken on firmware SonicOS 7.3.2
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community
Chat