VERIFIED SOLUTION i

Resolving support for HTTP Strict Transport Security in Portrait Dialogue


 

Issue

The Portrait Dialogue Web application websites may be vulnerable to man in the middle attacks.
The sites currently support connections over both HTTP and HTTPS but have not been configured to use HTTP Strict Transport Security (HSTS), which would ensure that clients always visit the sites by HTTPS in subsequent visits.
 

Cause

This is not something that can be done at the Portrait Dialogue level. 
This can be done in IIS, in the configuration of the web applications. 

Resolution

UPDATED: November 7, 2017
HSTS can be implemented as an open source IIS module, available at the following URL: https://hstsiis.codeplex.com