To secure the connection between the web server and the client (e.g. browser) we recommend to encrypt the transmission with TLS. If the JobRouter web server can be accessed via internet, it is possible to test the TLS configuration through the following link:
https://www.ssllabs.com/ssltest/
Make sure that the option Do not show the results on the boards is activated if you don't want your JobRouter installation to be listed in the currently checked websites list.
Activate HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections, which shall protect against the out-levering of the connection key via a downgrade attack as well as session hijacking. Therefore, make the following entry in the web.config of the web page. Adapt the number of seconds, if applicable, that shall be kept as configuration time in the browser (parameter max-age=31536000 means 1 year).
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Add Strict-Transport-Security when HTTPS">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Set session-Cookie only via HTTPS
If the JobRouter installation is delivered only via HTTPS, please set the respective option in the PHP configuration.
