Getting Started
Information security is a top priority for IT professionals, as it ensures compliance adherence and timely project delivery. When it comes to serving a web application like Composable, enabling HTTPS is paramount for safeguarding the confidentiality and integrity of crucial data streams. The good news is that setting up a modern HTTPS configuration in Composable is a straightforward process that can be accomplished in just a few simple steps. In this post, we will outline the steps for enabling HTTPS in Composable and ensuring a secure environment for your application.
First, you’ll want to configure IIS on your server to serve the Composable WebApp over HTTPS with a certificate. You can purchase a certificate from any signing authority, or obtain a free one through the Let’s Encrypt project. We’ll assume you have a TLS/SSL certificate ready to go.
When you’re ready to start, open the IIS Configuration Manager on your server. Navigate as shown to the right, into Sites and to the Default Web Site, under which the Composable application is installed.
Then, from the right-hand Actions toolbar, choose the link that says “Bindings”.
You should see a single entry, binding port 80 on the server to the plain HTTP protocol. We’ll need to add a binding for HTTPS. Choose “Add…” and set “https” as the type and ensure the port is set to 443. In “Host name”, type the domain name for your Composable instance, for which you acquired a certificate. Then, choose “Select…” and locate your certificate file. Then click OK, and your instance should be configured to use HTTPS!
Hardening your Secure Composable Instance
If you’re anything like me, you’ll want to make sure your server is using best practices for HTTPS. Composable offers a few extra configuration options to help you get the most out of your HTTPS setup. These are advanced settings, so be sure you’re confident about what you’re doing before beginning.
Require Secure Connections
To force all connections to use HTTPS, you’ll need to edit your WebApp configuration file. This file, Web.config, is located under your Composable installation directory, typically C:\Program Files\CompAnalytics\WebApp. Open this file in a text editor of your choice.
Inside this file, you should see a line like the one below:
|
1 |
<add key="RequireHttps" value="False" /> |
If you don’t see this line, you can add it under the path /configuration/appSettings. Once you’ve located this setting, change the value from “True” to “False”. Enabling the “RequireHttps” setting will cause your Composable instance to automatically redirect any plaintext HTTP traffic to HTTPS. It will also utilize HSTS, or the Strict-Transport-Security header, which tells any browser connecting to the server to remember that this server only accepts secure connections. If you’re looking to secure your Composable instance, enabling this setting is an important step in preventing any non-secure information leakage.
Upgrade to Secure Ciphers & Protocols
Another key step in securing your HTTPS configuration is to limit the types of ciphers and SSL/TLS versions that your server will accept. This protects against security downgrade attacks by refusing to send data to clients who are not capable of using a modern, secure cipher to protect the data flowing to and from your server. The whitelist of accepted ciphers & protocols is a setting native to Windows itself, so you’ll need to use a third-party tool to edit the registry keys that control these settings. We recommend using IIS Crypto. Simply select “Templates” from the sidebar and pick from the available options based on your needs, be it best practices, FIPS, or PCI compliance. Or, you can dig deeper and customize the whitelist yourself.
Wrap-up
Once you’ve completed these steps, your Composable instance should be equipped to protect even the most sensitive data. We’ve applied these rules to our demo instance at cloud.composableanalytics.com, and just through these simple steps, we’ve achieved an A-rating from the industry-standard Qualys SSL Labs scan.
