Even when HTTP access to your ArcGIS Enterprise portal is disabled, it is still potentially vulnerable to a class of security attacks known as SSL stripping. This type of attack exploits a lack of communication from the site to the web browsers of your users, informing them to only use HTTPS requests. If an attacker runs a fake copy of your portal website on port 80 and intercepts an initial HTTP request from a user's browser, they could potentially receive compromising security information from the user.
To close this vulnerability to SSL stripping attacks, the HTTP Strict Transport Security (HSTS) protocol configures your portal to provide this communication back to users' web browsers. HSTS can be enabled in an ArcGIS Enterprise 10.9.1 portal.
Enable HTTP Strict Transport Security in your portal
Starting in 10.6.1, the security configuration string in the ArcGIS Portal Administrator Directory contains a Boolean property HSTSEnabled, which is set to false by default. When this property is updated to true, the portal website tells web browsers to only send requests using secure HTTPS. This is done using a header, Strict-Transport-Security, directing the browser to strictly use HTTPS requests for the subsequent period of time defined by its max-age property (which is given in seconds). This duration is set to one year: Strict-Transport-Security: max-age=31536000.
If your users access your portal through your ArcGIS Web Adaptor or a reverse proxy server, enforcing HSTS in your site may have unintended consequences. In accordance with the header sent by HSTS protocol, users' web browsers will only send HTTPS requests to these devices; if the web server hosting your ArcGIS Web Adaptor or the reverse proxy server is simultaneously hosting other applications that do not use HTTPS, users will be unable to access those other applications. Ensure these dependencies do not exist before enabling HSTS.
To enable HSTS on your portal website, follow these steps:
- Sign in to your ArcGIS Portal Administrator Directory at https://portal.domain.com:7443/arcgis/portaladmin.
- Browse to Security > SSLCertificates > Update.
- On this page, check the HTTP Strict Transport Security (HSTS) enabled option to enable HSTS, and confirm Update.
By default, Portal for ArcGIS enforces HTTPS for all communication. If you have previously changed this setting to allow both HTTP and HTTPS communication for your portal, enabling HSTS will automatically reinforce HTTPS-only communication.
- Once the portal restarts, it begins returning the Strict-Transport-Security header to all web browsers sending requests to the site.
HTTP Strict Transport Security can also be enabled in an ArcGIS Server site.