ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Vulnerability HSTS (CVE-2015-5505)

book

Article ID: 214208

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

During a penetration test we identified the "HSTS Missing From HTTPS Server" vulnerability.  How can this issue be resolved?

 

Environment

Release : 14.3 CP2, 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

The HTTP Strict-Transport-Security response header (HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

This is negated in IM by the use of "Upgrade-Insecure-Requests". 

The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.

In both approaches, the browser is forced to make a secure connection with the server.