Did you know? Zimbra HTTP Strict Transport Security (HSTS)

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

What does HSTS do for improving security?

You have HSTS configured on Zimbra and have configured a correct TLS certificate. One of your users is on the road an connects to a public wifi hotspot where all traffic is redirected to a rogue website. The rogue website will not have the correct TLS certificate for your Zimbra server domain. As a result HSTS will prevent the user from connecting to the rogue website. The browser will display a full page warning saying there is a TLS issue and that HSTS will prevent the user from connecting.

As a result the user cannot send credentials to the rogue website, and a man-in-the-middle attacks is avoided.

To enable HSTS run the following commands as the user zimbra:

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmmailboxdctl restart

References/Further reading

, ,

Comments are closed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures