This article describes how to enable the HSTS preload header in FortiWeb and domain HSTS preloading list submission.
Scope
FortiWeb.
Solution
Prerequisite:
- The domain and all subdomain websites are HTTPS-ready and use valid SSL certificates.
- FortiWeb v6.3.17 and above
- HSTS preload header must be added to the root domain.
HSTS (HTTP Strict Transport Security) is a header that enforces the web browsers to connect to the domain/subdomain websites using HTTPS secure connection only. The HSTS ‘preload’ option is the additional variable added to the HSTS header, to add the domain into Chrome’s preload list. The HSTS preload list is hardcoded into Chrome as the list of websites that are connecting using HTTPS-secured connection only.
Step 1: Before making any configuration changes, check for the HSTS preload status and eligibility via the website ‘hstspreload.org’. The example shows that the website ft-dev.site has no HSTS header present on the web response.
Step 2: Log in to FortiWeb and navigate to the server policy of ft-dev.site. Open the Advanced SSL settings of the server policy.
Step 3: In the Advanced SSL settings panel, expand the HTTPS Header Insertion. Enable the option Add HSTS Header. The HSTS header will have the default max age of 15552000 seconds which is equal to 180 days.
Step 4: Save the default config and recheck the HSTS preload eligibility test result. The test result shall remain to fail as the HSTS preload requires that the header include subdomains and preload variables. The header max-age has a minimum requirement of 1 year too.
Step 5: Go back to the FortiWeb server policy HTTPS Header Insertion settings panel. Change the max-age value to 31536000 (1 year) and enable both Include Sub Domains and Preload options.
Step 6: Save the settings and recheck the HSTS preload eligibility test. The HSTS preload eligibility test should now be showing eligibility for HSTS preload submission.
Step 7: The header can also be verified using the cURL command.
