What should I consider before implementing HSTS in PRTG? How can I mitigate the risks?

This article applies as of PRTG 25

HSTS headers in PRTG

Introduction to HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking by instructing web browsers to only interact with the server using secure HTTPS connections. Increasingly, IT security policies recommend using HSTS even in internal networks. While HSTS offers security benefits, it requires careful implementation, especially in enterprise environments like those using the PRTG Network Monitor.

Considerations

HSTS can be a double-edged sword, especially in the context of an on-premise solution like PRTG.

1. Enterprise Environment Challenges: As noted in RFC6797 section 11.3, HSTS poses challenges in enterprise environments where all clients must have the enterprise CA certificates installed. If problems arise, this requirement will likely make troubleshooting more complicated.

2. Configuration Complexity: HSTS is difficult to configure correctly. There are various implementation pitfalls that can undermine security or cause operational issues.

3. Difficult Rollback: Implementing HSTS can create scenarios where reverting to HTTP during error conditions, switching SSL (root) certificates, or switching to a reverse proxy approach becomes extremely difficult. This is because you will need to clear the client caches, which is particularly problematic in distributed environments.

4. Domain Configuration Complexities: HSTS introduces additional complexity into domain/subdomain relationships and redirects (requiring careful planning of your PRTG infrastructure), and challenges in the context of domain configuration, subdomains and the includeSubDomains directive.

How to implement HSTS for the PRTG new UI

The new UI provides a built-in capability to set the HSTS header.

Important note: Before activating this header, make sure that you understand the above considerations. Paessler Support cannot help you with undoing the potential negative side effects of activating HSTS for your server.

If you determine that HSTS is necessary for your environment despite the above challenges, perform the following steps:

1. Open the appserver.config.yml file, which is usually located in %ProgramData%\Paessler\PRTG Network Monitor.
2. Under responseheader > https, enter two new lines:

   Strict-Transport-Security:
   - max-age=86400
   

3. An example of the resulting responseheader part of the file:

   responseheader:
       default:
           cache-control:
               - max-age 86400
           content-security-policy:
               - frame-ancestors 'self'
           x-content-type-options:
               - nosniff
           x-frame-options:
               - SAMEORIGIN
           x-xss-protection:
               - 1; mode=block
       https: 
           Strict-Transport-Security:
               - max-age=86400

4. max-age=86400 sets the HSTS policy to expire after one day. The usual recommendation is to set this to 1 or 2 years; however, to avoid problems, we recommend you to start with a short time frame for testing purposes. Afterwards, you can extend it for use in production.

5. Restart the PRTG Application Server Service via Task Manager for the changes to take effect.

What to do if you need to use the classic PRTG UI

The classic UI does not offer a native option to activate an HSTS header. If you need to secure this interface:

• Consider making it inaccessible by blocking the port in your firewall.
• Alternatively, implement HSTS at a proxy layer in front of PRTG.

Be aware that while the new PRTG UI offers most of the functionality of the classic PRTG UI, some elements are still missing. We recommend you to check if your team can do their daily work in the new UI and consider which option is right for you.

Recommendations

Before implementing HSTS with PRTG:

1. Consider alternative security approaches that may provide similar benefits with fewer operational risks.
2. Do a thorough testing in a non-production environment.
3. Ensure all clients have proper certificate trust configured.
4. Create a rollback plan in case of problems.

Note: An improper HSTS configuration can lead to extended service disruptions that are difficult to remediate due to browser caching of the HSTS policy, and the resulting manual action needed for every client.