Network security

IBM enforces Strict-Transport-Security (HSTS) on all IBM® Security Verify requests.

HSTS improves security by requiring all browser connections to use HTTPS rather than HTTP.

HSTS instructs the browser to use HTTPS when it makes requests to Verify. The browser remembers this instruction for the amount of time that you set, so the next time a user visits Verify, their browser uses HTTPS.

HSTS works by using the Strict-Transport-Security response header. After a browser receives this header, it prevents sending any communications over HTTP to the specified domain, and sends all communication over HTTPS instead. Insecure HTTP links are converted to secure HTTPS links. For example, http://example.com/some/page/ is converted to https://example.com/some/page/ before it accesses the server. If the security of the connection can’t be ensured (for example, the server's TLS certificate isn't trusted), the user sees an error message and can't access Verify.

IBM uses HTTP Strict Transport Security (HSTS) with the following settings.

Max age: 1 year
Include subdomains: YES
Preload: YES

Note: The preload directive is available for vanity hostnames only. This directive adds the domain to the browser’s preload list that is hardcoded into Google Chrome and other browsers that have preload lists based on the Chrome list. You still need to declare the domain at hstspreload.org. The presence of your domain in the preload list means that a browser connects by using HTTPS from the first attempt, which protects against 'bootstrap man-in-the-middle' attacks. If your domain isn’t in the preload list, the initial connection from a browser uses HTTP. Verify then sends the HSTS header to the browser, and requires the browser to connect by using HTTPS.