HTTP Strict Transport Security (HSTS) support in VisualSVN Server

Applies to: VisualSVN Server 5.1 and later

The HTTP Strict Transport Security (HSTS) policy enforces the use of the secure HTTPS protocol when accessing the server. When the policy is enabled on a server, all HSTS-capable clients will contact the server only through a secure connection (HTTPS). Thus, this policy helps to protect against man-in-the-middle attacks and does not allow users to ignore certificate warnings.

Prerequisites

Before enabling HSTS, you have to ensure that VisualSVN Server is configured to use secure connection (HTTPS) and that a valid TLS/SSL server certificate is installed.

The installed certificate must meet the following basic requirements:

  • The certificate is trusted on the client computers.
  • The certificate is issued to the correct server name.
  • The certificate is not expired.

HSTS policy will be silently ignored by the clients if any of the above prerequisites are not met. HSTS-capable clients enable the HSTS policy only when they receive a special response header from the server over a secure HTTPS connection and without any certificate errors.

Note
HSTS-capable clients store the HSTS policy information on the client side. If the server certificate becomes invalid (e.g., expires), users will lose access to the server.

How HSTS works

When HSTS is active in VisualSVN Server, the server supplies a special response header to all clients. The header informs the clients that all requests to the server must use HTTPS connection for a defined period of time. By default, the period is one year (31536000 seconds).

HSTS-capable clients proceed as follows after receiving the HSTS response header:

  • Remember that HSTS is enabled on the server for the defined period.
  • Automatically upgrade all access attempts to the server from http:// to https://.
  • Prevent communication with the server if it presents an invalid server certificate.
Note
Although all modern web browsers support HSTS, current Subversion client versions do not. If you enable this option, it will be recognized by web browsers but ignored by clients such as svn.exe and TortoiseSVN. However, enabling HSTS does not have any negative effects on Subversion clients.

Configuring HTTP Strict Transport Security (HSTS)

Follow these steps to enable HSTS in VisualSVN Server:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Network tab.
  4. Select the check box Enable HTTP Strict Transport Security (HSTS).
  5. Click Apply.

VisualSVN Server HTTP service will restart and HSTS becomes active.

See also

KB191: Understanding VisualSVN Server network settings
KB134: Configuring SSL Certificates for VisualSVN Server

Last Modified: