How to Configure Chocolatey Central Management to Use HSTS

How to Configure Chocolatey Central Management to Use HSTS



Although HTTP Strict Transport Security (HSTS) allows you to have reasonable certainty that your connection to Chocolatey Central Management is not intercepted, we recommend that you do not connect your Chocolatey Central Management server directly to the internet.

Chocolatey Central Management is hosted by IIS and makes use of features available by it. Below is some general information about how to enable HSTS with both IIS and a reverse proxy.

Enabling HSTS Within IIS

If you are running IIS 10.0 version 1709 or later, you can enable HSTS using the documentation, and samples, provided by Microsoft. If you are on newer versions of IIS, you may have access to enabling HSTS within the IIS Management Console; steps to enable it this way are below.

  1. Open the IIS Management Console.
  2. In the Connection pane, expand the server and then Sites to select ChocolateyCentralManagement.
  3. On the right, select HSTS under Configure in the Actions pane.
  4. Configure HSTS as desired.

If you don’t have the option in the GUI, then you can still use the documentation, and samples, provided by Microsoft.

Enabling HSTS Prior to IIS 10.0 Version 1709

While HSTS is available natively within IIS 10.0 version 1709, it is possible to use it with IIS prior to this version.

Using a Reverse Proxy to Enable HSTS

While Chocolatey Central Management runs on IIS, you could use a reverse proxy and configure HSTS on the reverse proxy server. For instance NGINX has an article covering HSTS configuration, or you could use Apache and follow a guide such as this one.

We provide this information as a reference for enabling HSTS and you should evaluate and apply the necessary configuration for your environment.