search cancel

HSTS Missing From HTTPS Server

book

Article ID: 202125

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

A vulnerability scanner is returning "HSTS Missing From HTTPS Server" when scanning the Enforce server.

Environment

Data Loss Prevention Enforce

Cause

The base Tomcat site does not require HSTS to be enabled.

DLP does implement Strict-Transport-Security - but only from the "ProtectManager" sub-domain of the DLP Enforce Management Console.

https://<Enforce server>/ProtectManager

Console access starts from this page.

 

 

 

Resolution

You can retest vulnerability scan against the Enforce page:

https://<Enforce server>/ProtectManager

Confirm HSTS is in place once the Enforce console webpage loads.