search cancel

HSTS header missing from Messaging Gateway Control Center HTTP response headers

book

Article ID: 213372

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A vulnerability scan of the Messaging Gateway (SMG) Control Center indicates that SMG does not include the optional HTTP Strict Transport Security (HSTS) header in its HTTP response headers.

Cause

The HSTS header is not present in the SMG Control Center HTTP response headers.

Environment

Messaging Gateway

Resolution

This does not represent a security issue.

The SMG Control Center, by default, will only communicate via HTTPS and does not allow HTTP connections or the downgrade of HTTPS to unencrypted communication. No HSTS header is needed as no unencrypted communication is allowed.

Unencrypted HTTP communication may be enabled by running the `cc-config http --on` command from the admin command line (CLI) but, in this configuration, it would not be appropriate to include the HSTS header as HTTP communication has been explicitly allowed by the site administrator.