Applies to: VisualSVN Server 5.1 and later
The HTTP Strict Transport Security (HSTS) policy enforces the use of the secure HTTPS protocol when accessing the server. When the policy is enabled on a server, all HSTS-capable clients will contact the server only through a secure connection (HTTPS). Thus, this policy helps to protect against man-in-the-middle attacks and does not allow users to ignore certificate warnings.
Before enabling HSTS, you have to ensure that VisualSVN Server is configured to use secure connection (HTTPS) and that a valid TLS/SSL server certificate is installed.
The installed certificate must meet the following basic requirements:
- The certificate is trusted on the client computers.
- The certificate is issued to the correct server name.
- The certificate is not expired.
HSTS policy will be silently ignored by the clients if any of the above prerequisites are not met. HSTS-capable clients enable the HSTS policy only when they receive a special response header from the server over a secure HTTPS connection and without any certificate errors.
How HSTS works
When HSTS is active in VisualSVN Server, the server supplies a special response header to all clients. The header informs the clients that all requests to the server must use HTTPS connection for a defined period of time. By default, the period is one year (31536000 seconds).
HSTS-capable clients proceed as follows after receiving the HSTS response header:
- Remember that HSTS is enabled on the server for the defined period.
Automatically upgrade all access attempts to the server from
- Prevent communication with the server if it presents an invalid server certificate.
Configuring HTTP Strict Transport Security (HSTS)
Follow these steps to enable HSTS in VisualSVN Server:
- Start the VisualSVN Server Manager console.
- Click Action | Properties.
- Click the Network tab.
- Select the check box Enable HTTP Strict Transport Security (HSTS).
- Click Apply.
VisualSVN Server HTTP service will restart and HSTS becomes active.