ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Vulnerability HSTS (CVE-2015-5505)
Article ID: 214208
Updated On:
Products
CA Identity Manager
Issue/Introduction
During a penetration test we identified the "HSTS Missing From HTTPS Server" vulnerability. How can this issue be resolved?
Environment
Release : 14.3 CP2, 14.4
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
Resolution
The HTTP Strict-Transport-Security response header (HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
This is negated in IM by the use of "Upgrade-Insecure-Requests".
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
In both approaches, the browser is forced to make a secure connection with the server.
Feedback
Yes
No
Powered by
