HSTS Missing From HTTPS Server

book

Article ID: 202125

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

A vulnerability scanner is returning "HSTS Missing From HTTPS Server" when scanning the Enforce server.

Cause

The base Tomcat site does not require HSTS to be enabled.

DLP does implement Strict-Transport-Security - but only from the "ProtectManager" sub-domain of the DLP Enforce Management Console.

https://<Enforce server>/ProtectManager

Console access starts from this page.

 

 

 

Environment

Data Loss Prevention Enforce

Resolution

You can retest vulnerability scan against the Enforce page:

https://<Enforce server>/ProtectManager

Confirm HSTS is in place once the Enforce console webpage loads.