search cancel

HSTS header missing from Messaging Gateway Control Center HTTP response headers


Article ID: 213372


Updated On:


Messaging Gateway


A vulnerability scan of the Messaging Gateway (SMG) Control Center indicates that SMG does not include the optional HTTP Strict Transport Security (HSTS) header in its HTTP response headers.


The HSTS header is not present in the SMG Control Center HTTP response headers.


Messaging Gateway


This does not represent a security issue.

The SMG Control Center, by default, will only communicate via HTTPS and does not allow HTTP connections or the downgrade of HTTPS to unencrypted communication. No HSTS header is needed as no unencrypted communication is allowed.

Unencrypted HTTP communication may be enabled by running the `cc-config http --on` command from the admin command line (CLI) but, in this configuration, it would not be appropriate to include the HSTS header as HTTP communication has been explicitly allowed by the site administrator.