HSTS Missing From HTTPS Server
search cancel

HSTS Missing From HTTPS Server

book

Article ID: 269124

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

In VA scan report, the vulnerability “HSTS Missing From HTTPS Server (RFC 6797)” is found in EG console URL.

 

Name

HSTS Missing From HTTPS Server (RFC 6797)

Synopsis

The remote web server is not enforcing HSTS, as defined by RFC 6797.

Description

The remote web server is not enforcing HSTS, as defined by RFC 6797.
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Solution

Configure the remote web server to use HSTS.

Plugin Output

  The remote HTTPS server does not send the HTTP
  "Strict-Transport-Security" header.

 

Environment

Symantec VIP Enterprise Gateway - 9.10.2

Cause

Strict-Transport-Security header is applied on the main pages of EG console.

As part of the checks, Nessus will request for non-existent pages. The webserver will then use its error handling pages for the respective error encountered (ie 404).
In this case , "Strict-Transport-Security" header is missed out from the site's 404/3xx response pages.

Resolution

This vulnerability is addressed in EG 9.11.x release.

Powered by Wolken Software