Enabling HSTS Strict Transport Security via Sparkle for HTTP.SYS

van_Heeswyk_Frank · September 19, 2024, 3:05pm

Hi, we're using Sparkle to implement an HTTP.SYS based web server application for Windows. We have limited the application in code to only support secure HTTPS connections. One of our customers has performed a security audit of the service, and reported that we are not including HSTS header(s) in our responses as described in RFC 6797. They view this as a potential vulnerability citing the potential for downgrade attacks, etc. notwithstanding our assurances that this is not possible since we explicitly ignore HTTP requests.

We've explored trying to enable HSTS globally for HTTP.SYS directly via the OS, but it does not appear to be possible. Is there a recommended means by which we can achieve this programatically through Sparkle?

wlandgraf · September 20, 2024, 1:30pm

You can simply use a generic middleware in your server to add the header yourself.

Just use a generic middleware and use its OnRequest event. Example:

procedure TForm1.XDataServer1GenericRequest(Sender: TObject; Context: THttpServerContext; Next: THttpServerProc);
begin
  Context.Response.OnHeaders(
    procedure(Response: THttpServerResponse)
    begin
      Response.Headers.SetValue('Strict-Transport-Security', 'max-age=63072000'); 
    end
  );

  Next(Context);
end;

Topic		Replies	Views
Request client certificate TMS Sparkle	2	853	August 15, 2018
Sparkle and IIS on same server TMS Sparkle	1	619	June 1, 2022
WinHttpClientException TMS Sparkle	3	1165	September 28, 2020
Sparkle and https TMS Sparkle	5	711	November 11, 2020
Use client-side SSL cert with Sparkle HTTP client TMS Sparkle	4	1864	December 30, 2015

Enabling HSTS Strict Transport Security via Sparkle for HTTP.SYS

Related topics