SecurityGateway™ for Email Servers
      Back to home
      1. Knowledge Base
      2. SecurityGateway™ for Email Servers

      How to setup and modify HTTP Strict Transport Security (HSTS) in SecurityGateway

      This article details what HTTP Strict Transport Security (HSTS) is and how to modify the HTTP response header in SecurityGateway.

      HTTP Strict Transport Security (HSTS) is a web security policy mechanism that protects websites against protocol downgrade attacks and cookie hijacking. By implementing HSTS headers, you ensure that your website can only be accessed over a secure HTTPS connection. 

      By default, SecurityGateway includes a HSTS header with a max age of 1 month, which is a great starting place to ensure HTTPS is working correctly.  

      The header looks like the following and can be found in the HTTP response headers when HTTPS is used.

      Strict-Transport-Security: max-age=2592000

      Header Parameters:

      • max-age: Specifies the time (in seconds) that browsers should remember to only access your website using HTTPS. A common value is 31536000 (1 year).
      • includeSubDomains (optional): Ensures that all subdomains are only accessible over HTTPS. For example, if you have SecurityGateway using sg.company.test, then includeSubDomains would require that HTTPS be used for *.sg.company.test.  
      • preload (optional): Signals your intention to include the domain in the HSTS preload list maintained by browsers. This should only be used after you have thoroughly tested your configuration and have a full understanding of the implications.  If you are unsure, do not set this parameter.

      After HTTPS has been configured and is fully functioning in SecurityGateway, MDaemon Technologies recommends to adjust the parameters of the HSTS header to provide the most security possible in your environment.  

      A commonly used HSTS header sets the max age to 1 year, includes subdomains, and the header would look like this:

      Strict-Transport-Security: max-age=31536000; includeSubDomains


      To adjust the HTTP response headers for SecurityGateway:
      1. Login as a global administrator.
      2. Select Setup/Users
      3. Select System
      4. Select HTTP Server
      5. In the Server section, set the desired value for max age.
      6. (Optional) select check the ...include sub-domains and/or ...add domain to HSTS preload list boxes.
      7. Click Save