Appearance
Securing Internet Information Services (IIS)
IIS Security: To support best practices for Web security we recommend making these changes to the HTTP Response Headers for the Web site where the AlphaTrust® e-Sign Web applications are installed using IIS Manager:
- Remove the "X-Powered-By" response header.
- Add a new header
Strict-Transport-Security
with a value ofmax-age=31536000
. This header informs browsers that understand this header (most) that it is the policy of this site that users should connect only via HTTPS (SSL/TLS).
SSL/TLS Hardening: the AlphaTrust® e-Sign installation process imports registry settings into the Windows registry that lock down the way that the SChannel security provider behaves. SChannel is the Windows component that controls secure connections to IIS sites on the server (SSL/TLS). These settings block the use of compromised or deprecated security mechanism or weak ciphers, such as SSLv2, SSLv3, PCT, RC4, RC2, and DES. These settings effectively require the use of TLS 1.2 or higher connections using strong ciphers. All modern Web browsers support this.
Certificates: Use SSL Certificates that are signed with the SHA-256 hash algorithm, as SHA-1 has been deprecated and will result in Web browser warnings over time.