Let's say I run a company "Example Inc" and have a website at:
Now because I'm security conscience I'm using https and would like to set the HSTS header to force its use. I'd also includeSubdomains for a long time, let's say a year.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Now I'm also a good website owner so I set up the following with 301 redirects to above site:
The last one also has the HSTS header as well as its a https site.
This, as I understand it, is the recommended set up for running a https website (plus lots of other settings obviously) and would be fairly common.
So far so good.
Now internally, on the company intranet, and not available on the Internet, I have loads of servers and use the example.com domain. So I have:
- machine1.example.com
- machine2.example.com ...etc
Now supposing some of these machines run web servers and not all of them are https.
Does this not mean if any of my employees happened to visit https://example.com then their browser will set the HSTS header and will refuse to go to http for any sub domains and so can no longer access some of those internal http-only webservers?
What's the way around this?
Should I compromise my external website security by not using the includeSubDomains setting? At least not on the https://example.com site? That seems wrong to compromise external security for an internal issue.
Should I force all my internal apps to be https too? That's easier said than done.
Should I use a different domain internally? E.g. machine1.intraexample.com? Seems a waste of a domain and some items (e.g. Email server) will need to be on the main domain, though possibly they could be limited to https only web servers if they even need to run them at all.
Any other thoughts?
Aucun commentaire:
Enregistrer un commentaire