The security team has discovered the vulnerability HSTS Missing From HTTPS Server (RFC 6797). Please provide instructions for enabling HSTS on Windows standalone connector servers, for TCP ports 20443 and 22002.
Open a support case and request 1442_HF_DE577160.zip or 14.5_HF-DE577160.zip.
This has been addressed in in 14.5.1
Note:
Depending on the security tool, you may still get false positives.
The HSTS configuration is not able to be set at the root level as https://hostname:20443/ is not an honored resource by the JCS server. It is just a static page and redirects to another page, even the curl command result shows this result with status code 302 redirect.
curl --head https://hostname:20443
HTTP/1.1 302 Found
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: JSESSIONID=58p6eXXXXXXXXXXX8pm8;Path=/
Location: https://hostname:20443/main
Content-Length: 0
Server: Jetty(6.1.x)
The HSTS vulnerability (RFC 6797) has been resolved at the landing page (https://hostname:20443/main) and therefore engineering has declared the JCS is no longer vulnerable to (RFC 6797). Additionally, the product at the root level( https://hostname:20443/) forces a URL redirect to the main page(https://hostname:20443/main) where the flag is properly set.
Curl Command showing remediation:
curl --head https://hostname:20443/main
HTTP/1.1 200 OK
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1xoXXXXXXXXXXXXuftse;Path=/
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 0
Server: Jetty(6.1.x)