Even when the ArcGIS Monitor Server web protocol setting is set to HTTPS, it is still potentially vulnerable to a class of security attacks known as SSL stripping. This type of attack exploits a lack of communication from the site to the web browsers of your users, informing them to only use HTTPS requests. If an attacker runs a fake copy of ArcGIS Monitor on port 30080 and intercepts an initial HTTP request from a user's browser, they could potentially receive compromising security information from the user.
To close this vulnerability to SSL stripping attacks, the HTTP Strict Transport Security (HSTS) protocol configures Monitor Server to provide this communication back to users' web browsers. HSTS can be enabled for Monitor Server.
The HTTP Strict Transport Security setting is turned off by default. When this setting is turned on, Monitor instructs web browsers to only send requests using secure HTTPS. This is done using a header, Strict-Transport-Security, that directs the browser to strictly use HTTPS requests for the duration defined by its max-age property (which is defined in seconds). This duration is set to one year: Strict-Transport-Security: max-age=31536000.
If your users access Monitor through a reverse proxy server, enforcing HSTS may have unintended consequences. In accordance with the header sent by the HSTS protocol, users' web browsers will only send HTTPS requests to the specified device; if the reverse proxy server is simultaneously hosting other applications that do not use HTTPS, users will be unable to access those other applications. Ensure that these dependencies do not exist before enabling HSTS.
To enable HSTS for Monitor Server, complete these steps:
- Access ArcGIS Monitor, if necessary.
The Home page appears.
- Click Administration.
The Administration page appears.
- Click Edit next to HTTP Communication Settings on the Administration page.
The HTTP Communication Settings dialog box appears.
- Turn on the HTTP Strict Transport Security toggle button.
When Monitor Server restarts, the HTTP Protocols setting is automatically set to HTTPS.
- Click Save and Restart.
Once Monitor Server restarts, it begins returning the Strict-Transport-Security header to all web browsers that are sending requests.