We see that once we implemented the SSL protocol in two DevTest environments, both those environments now are coming up with the 1505 QID 11827 vulnerability in version 10.4 

Release : 10.4

Component : CA Service Virtualization

Strict-Transport Security" header is applicable for HTTPs requests only. The "HTTP Security Header Not detected for port 1505" vulnerability reported for "Strict-Transport-Security

We have a Fix for this: 

 "patch_DE439275_10.4.0_GA.jar". This includes both "X-XSS-Protection HTTP Header missing on port 1505" and "Strict-Transport-Security HTTP Header missing on port 1505" fixes. 

Steps to apply:

1. Stop all the services.

2. Go to the /lib/patches folder. (Create the patches folder if it doesn't exist).

3. Copy and paste the attached patch 'patch_DE439275_10.4.0_GA.jar' into the patches folder.

4. Restart all the components.

5. Run a scan.


Additionally, you can verify the fix by hitting the URL "https://localhost:1505" in a browser after applying the patch and verify the response headers listed under the browser Network tab for that URL. You should now
see the below response headers:

Strict-Transport-Security: max-age=31556926; includeSubDomains

Content-Security-Policy: default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1;mode=block


Note: Apply this patch on all the machines where the Devtest components are running.

Please open  a support ticket for this.  And reference DE439275 in the description.