During a penetration test we identified the "HSTS Missing From HTTPS Server" vulnerability. How can this issue be resolved?
Release : 14.3 CP2, 14.4
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
The HTTP Strict-Transport-Security response header (HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
This is negated in IM by the use of "Upgrade-Insecure-Requests".
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
In both approaches, the browser is forced to make a secure connection with the server.