search cancel

EM Jetty configured for HTTPS only, responds on HTTP and doesn't follow HTTP Strict Transport Security


Article ID: 198107


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management


The EM Jetty is locked down to HTTPS only, but responds to HTTP request and returns "P". Our Security Team is flagging this as a "Strict-Transport-Security HTTP Header missing on port".

If the EM Jetty responds to HTTP request when disabled, we need this updated to follow HTTP Strict Transport Security or disable HTTP response.


Release : 10.7.0

Component : APM Agents


This is resolved in HF61

DE434288 - 20068181-Security vulnerabilities in Jetty (EM/WV,APMSQLServer, jetty
9.4.11-2 upgraded to 9.4.27)