HSTS missing

Question

Hi all,

I have an Exchange 2016 hybrid environment and have identified the following vulnerability. Please suggest how to fix it.

Answer 1

Hello, @Roger Roger,

Welcome to the Microsoft Q&A platform!

The "HSTS Missing from HTTPS Server (RFC 6797)" vulnerability in your Exchange 2016 hybrid environment indicates you need to configure HTTP Strict Transport Security (HSTS).

Here is guidance for you to finish this:

1. Open IIS Manager:
   • Sign in to your Exchange Server.
   • Open Internet Information Services (IIS) Manager.
2. Navigate to Default Web Site:
   • In the Connections panel, click on Default Web Site.
3. Add HSTS Header:
   • Double-click on HTTP Response Headers.
   • In the Actions panel, click on Add.
   • Add the following name and value:
   • Name: Strict-Transport-Security
   • Value: max-age=31536000; includeSubDomains; preload
   • Click OK.
4. Verify HSTS Configuration:
   • Use a browser's inspector tool to check the HTTP headers.
   • Navigate to your Exchange Server's OWA address.
   • Open the inspector tool (usually F12), go to the Network tab, and refresh the page.
   • Look for the Strict-Transport-Security header in the response headers.

This configuration ensures that browsers will only connect to your server using HTTPS, enhancing security by preventing protocol downgrade attacks and cookie hijacking.

If you need more detailed guidance, you can refer to the official Microsoft documentation: Configure HTTP Strict Transport Security (HSTS) in Exchange Server | Microsoft Learn.

---

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

Best Wishes,

Alex Zhang