Thursday, April 28, 2016

Be aware of automatic Domino HSTS Settings

As part of our normal review of such things I ran an SSL Labs test on our sites only to discover that we now had double header entries in our responses for Strict-Transport-Security.

Not a terrible thing but the SSL test does point it out and after some examination I realized that Domino now adds that header automatically once you only use HTTPS or if you redirect to HTTPS as explained by the very helpful Dave Kern right here: https://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS

Since we use a Netscaler in front of our Domino servers to add a variety of security measures and other network enhancements, I decided I did not want Domino also adding its own header so I set the nifty .ini setting of ...

HTTP_ENABLE_HSTS=0

which did the trick!