A vulnerability scan of the Messaging Gateway (SMG) Control Center indicates that SMG does not include the optional HTTP Strict Transport Security (HSTS) header in its HTTP response headers.

Messaging Gateway

The HSTS header is not present in the SMG Control Center HTTP response headers.

This does not represent a security issue.

The SMG Control Center, by default, will only communicate via HTTPS and does not allow HTTP connections or the downgrade of HTTPS to unencrypted communication. No HSTS header is needed as no unencrypted communication is allowed.

Unencrypted HTTP communication may be enabled by running the `cc-config http --on` command from the admin command line (CLI) but, in this configuration, it would not be appropriate to include the HSTS header as HTTP communication has been explicitly allowed by the site administrator.

The header was added in version 10.7.3. The value is defaulted to 0 and cannot be changed.

There will be modifications to this header in a future release of the Messaging Gateway to address security concerns.