1.1.34 Ensure 'Configure the list of names that will bypass the HSTS policy check' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows a list of names to be specified that will be exempt from HTTP Strict Transport Security (HSTS) policy checks then potentially upgraded from http:// to https://.

The recommended state for this setting is: Disabled.

Rationale:

Allowing hostnames to be exempt from HSTS policy checks could allow for protocol downgrade attacks and cookie hijackings.

Impact:

There should be no adverse affect to users.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Configure the list of names that will bypass the HSTS policy check

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Not Configured.

See Also

https://workbench.cisecurity.org/files/3907