1.25 Ensure 'List of names that will bypass the HSTS policy check' is set to 'Disabled'

Information

This setting allows a list of names to be specified that will be exempt from HTTP Strict Transport Security (HSTS) policy checks, then potentially upgraded from http:// to https://.

The recommended state for this setting is: Disabled (0)

Rationale:

Allowing hostnames to be exempt from HSTS checks could allow for protocol downgrade attacks and cookie hijackings.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\List of names that will bypass the HSTS policy check

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|7.4

Plugin: Windows

Control ID: 6033594603f4f177645dfdf1185df48fc0981c1626f08feb2abd62ed7d31f4c3