Even when the ArcGIS Monitor Server web protocol setting is set to HTTPS, it is still potentially vulnerable to a class of security attacks known as SSL stripping. This type of attack exploits a lack of communication from the site to the web browsers of your users, informing them to only use HTTPS requests. If an attacker runs a fake copy of ArcGIS Monitor on port 30080 and intercepts an initial HTTP request from a user's browser, they could potentially receive compromising security information from the user.
To close this vulnerability to SSL stripping attacks, the HTTP Strict Transport Security (HSTS) protocol configures Monitor Server to provide this communication back to users' web browsers. HSTS can be enabled for Monitor Server.
Enable HSTS
The HTTP Strict Transport Security setting is turned off by default. When it is turned on, Monitor instructs web browsers to only send requests using secure HTTPS. This is done using the Strict-Transport-Security header that directs the browser to strictly use HTTPS requests for the duration defined by its max-age property (defined in seconds). This duration is set to one year as Strict-Transport-Security: max-age=31536000.
Caution:
If your users access Monitor through a reverse proxy server, enforcing HSTS may have unintended consequences. In accordance with the header sent by the HSTS protocol, users' web browsers will only send HTTPS requests to the specified device. If the reverse proxy server is simultaneously hosting other applications that do not use HTTPS, users will be unable to access those other applications. Ensure that there are no applications on the reverse proxy server that do not use HTTPS before enabling HSTS.
To enable HSTS for Monitor Server, complete the following steps:
- Access Monitor if necessary.
The Home page appears.
- Click Administration.
The Administration page appears.
- In the HTTP communication settings section, click Edit.
The HTTP communication settings dialog box appears.
- Turn on the HTTP strict transport security toggle button.
When Monitor Server restarts, the HTTP protocols setting is automatically set to HTTPS.
- Click Save.
The HTTP communication settings are saved and a confirmation message appears.
- Click Restart server to restart Monitor and apply the changes.
Once Monitor restarts, it begins returning the Strict-Transport-Security header to all web browsers that are sending requests.