MDaemon® Email Server
      Back to home
      1. Knowledge Base
      2. MDaemon® Email Server

      How to setup and modify HTTP Strict Transport Security (HSTS) in MDaemon for Webmail and Remote Administration

      This article details what HTTP Strict Transport Security (HSTS) is and how to apply it for MDaemon's Webmail and Remote Administration web servers.

      HTTP Strict Transport Security (HSTS) is a web security policy mechanism that protects websites against protocol downgrade attacks and cookie hijacking. By implementing HSTS headers, you ensure that your website can only be accessed over a secure HTTPS connection. 

      By default, MDaemon includes a HSTS header with a max age of 1 month, which is a great starting place to ensure HTTPS is working correctly.  

      The header looks like the following and can be found in the HTTP response headers when HTTPS is used.

      Strict-Transport-Security: max-age=2592000

      Header Parameters:

      • max-age: Specifies the time (in seconds) that browsers should remember to only access your website using HTTPS. A common value is 31536000 (1 year).
      • includeSubDomains (optional): Ensures that all subdomains are only accessible over HTTPS. For example, if you have MDaemon using mail.company.test, then includeSubDomains would require that HTTPS be used for *.mail.company.test.  
      • preload (optional): Signals your intention to include the domain in the HSTS preload list maintained by browsers. This should only be used after you have thoroughly tested your configuration and have a full understanding of the implications.  If you are unsure, do not set this parameter.

      After HTTPS has been configured and is fully functioning for Webmail and Remote Administration, MDaemon Technologies recommends to adjust the parameters of the HSTS header to provide the most security possible in your environment.  

      A commonly used HSTS header sets the max age to 1 year, includes subdomains, and the header would look like this:

      Strict-Transport-Security: max-age=31536000; includeSubDomains


      To adjust the HTTP response headers for Webmail:

      1. Login to Remote Administration as a global administrator.
      2. Select Main
      3. Select Webmail Settings
      4. In the HTTP Response Headers section selectStrict-Transport-Security
      5. Click Edit
      6. In the Header Value section, set the header parameters and values desired.
      7. Click Add
      8. Click Save


      To Adjust the HTTP response headers for Remote Administration:

      1. Login to Remote Administration as a global administrator
      2. Select Main
      3. Select Remote Admin Settings
      4. In the HTTP Response Headers section select the Strict-Transport-Security
      5. Click Edit
      6. In the Header Value section, set the header parameters and values desired.
      7. Click Add
      8. Click Save