How to configure AI Center to use HSTS and TLS1.2/TLS1.3 ?
Note: Due to certain security scanning results , the below steps to configure AI Center to use TLS 1.2 / TLS 1.3 protocol and HSTS can be used
Resolution: The product, AI Center does include HSTS for calls to the backend AI Center. Only the first call to the AI app lacks the HSTS header.
The first call to AI - App does not enforce HSTS as of now, but any further calls to AIC backend enforces HSTS. Lack of HSTS is a very low risk for use of AI Center on-premise. URL rewrite is done at the backend, so every requests towards the AI Center server, coming from the outside, will be done in HTTPS.
What does HSTS do? HSTS prevents a browser from connecting to a domain via HTTP the next time it connects to a domain. This prevents an attacker from creating an HTTP site with the same domain name to trick a user to accessing a fake malicious host.
In context of an AI Center deployment at USDA, there are several other mitigating factors that would prevent an attacker from being able to execute such an attack. UiPath will look look to implement this functionality in a future release, but it is a very low risk.
Step to configuring AIC to use TLS min v1.2 ( v21.10+):
- kubectl -n istio-system patch gw aifabric-gateway --type=json -p='[{"op":"replace","path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_2"}]'