To prevent MITM attacks I'm trying to set up my DataMiner with HSTS (HTTP Strict Transport Security) enabled. I added the custom 'Strict-Transport-Security' header in IIS but the header is only added for requests to /API.
Upon closer inspection, I noticed that most web.config files in the subfolder of C:\Skyline DataMiner\Webpages explicitly clear any custom HTTP headers defined on the IIS website. Is there a particular reason for this?
For example this is the web.config file in C:\Skyline dataMiner\Webpages\Dashboards\Web.config:
Note the <clear /> tag.
Before adding any http headers, our web applications clear all custom headers, to avoid having multiple headers with the same name. This was the easiest solution, but probably not the best one. You can send us a task on Collaboration.
Thanks for the info Wim, I’ll make a task
Sidenote: I can work around this and remove the from all the web.config files but after upgrading these will be added again