The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
What does HSTS do for improving security?
You have HSTS configured on Zimbra and have configured a correct TLS certificate. One of your users is on the road an connects to a public wifi hotspot where all traffic is redirected to a rogue website. The rogue website will not have the correct TLS certificate for your Zimbra server domain. As a result HSTS will prevent the user from connecting to the rogue website. The browser will display a full page warning saying there is a TLS issue and that HSTS will prevent the user from connecting.
As a result the user cannot send credentials to the rogue website, and a man-in-the-middle attacks is avoided.
To enable HSTS run the following commands as the user zimbra:
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" zmmailboxdctl restart
No comments yet.