Is your Salesforce Organization compliant to HSTS Informational Security Standards?

With the advent of Service Oriented Architecture (SOA), Internet of Things (IoT) and Artificial Intelligence (AI), there are actually more web services and bots processing data every second. With this evolution, the complexity and processing of data/information has also grown exponentially.

As organizations ramp up the use of Salesforce.com CRM, we also need to ensure that our customizations and integrations implemented in the CRM is compliant to international standards of data security. In this blog, we will briefly look at the HSTS Information Security Standard and why organizations need to implement it sooner.

I have heard about HTTPS but what is this HSTS?

We all know that HTTP communications cause data to flow in raw form over the network and a hacker could easily sniff the data from the data stream. HTTPS is widely being used by implementing SSL over the HTTP using certificates. This causes the data to get encrypted (depending on the type of encryption) while it travels over the data stream and it becomes difficult for a hacker to sniff and decode.

Read this blog to know more about HSTS, but here are some quick points I have noted from the blog. Assume a scenario where your organization utilizes many integrations with web services of which some are HTTP and some are HTTPS. Here, a hacker could easily capture the data from the network traffic over HTTP that relies on the 301 redirects for switching from HTTP to HTTPS. This situation presents an opportunity for the hacker to strip down your SSL encryption and steal valuable data.

This is the reason why you must employ HTTP Strict Transport Security (HSTS) over just HTTPS. HSTS informs the browsers and user agents on how to handle its connection through a response header sent at the very beginning and back to the browser. HSTS sets the “Strict-Transport-Security” policy field parameter and forces any connections over HTTPS encryption, disregarding any script call to load any resource in that domain over HTTP. Padlocking your website is not just enough as people will find out a way to reach your website over http://. HSTS forces browsers to use HTTPS if that is available. Even if someone just types in the www or http://

Who introduced HSTS?

Google introduced the HSTS security policy on 29 July 2016

Which companies have implemented HSTS so far?

Facebook, Google, Gmail, Twitter and PayPal are some that have implemented HSTS as of today.

What should we do in Salesforce to on-board into the HSTS Security standard?

HSTS is right now only required in Salesforce for all Sites & Communities. It is not mandatory to switch to HSTS immediately but this transition will need to be made in near future.

The HSTS setting for Sites & Communities is governed by Session Settings screen (Setup à Administer à Security Controls à Session Settings)

Things to remember

  • HSTS is enabled on all Visualforce pages and cannot be disabled.
  • The option shown above in Session Settings is to enable HSTS on communities and Force.com Sites only.

You can Enable HSTS in Lightning Communities, Force.com Sites with the default (.force.com) domain and even in Communities and Force.com Sites using a custom domain. Follow the steps in the Winter ’18 Release Notes for detailed steps. https://releasenotes.docs.salesforce.com/en-us/winter18/release-notes/rn_security_hsts_forces_https.htm

If you are using a custom domain obtained from a non-Salesforce Host for Communities & Force.com Sites, then following are the things you need to enforce at your hosting provider for the concerned domain before you switch on HSTS in Salesforce. Please note that different hosting providers have different ways to enable HSTS. Some do not allow on shared hosting and only allow enabling HSTS in dedicated servers.

  • Your website must have a valid SSL Certificate. 
  • Redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect.
  • All subdomains must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
  • Initial Max-age must be at least 10886400 seconds or 18 Weeks. Once you are confident with HSTS, you can increase Max-age to 63072000 seconds or 2 Years.
  • Serve an HSTS header on the base domain for HTTPS requests.
  • The includeSubDomains directive must be specified if you have them

You can use https://www.ssllabs.com/ssltest/index.html to check your domain for HSTS compliance.

Once these aspects on your hosting provider has been taken care, you can safely go ahead and switch ON the HSTS in Salesforce for Communities & Force.com Sites.

Are you looking for HSTS transition? Get in touch with our Salesforce experts and learn more on how to upgrade.

 

About the Author:

Abhishek Sivasubramanian works with Suyati as a Development Lead in Salesforce CRM & .NET Application Development. He is an International Speaker at world’s largest conferences like Dreamforce, IEEE and ICWS and has been a mentor for many newbies & professionals in IT Industry.

 

Author : Abhishek Subramanian Date : 03 Jul 2018