DEVTEST: HSTS Missing From HTTPS Server (RFC 6797) - Vulnerability
search cancel

DEVTEST: HSTS Missing From HTTPS Server (RFC 6797) - Vulnerability

book

Article ID: 409948

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

 We are getting Vulnerability alerts from the security team on all  HTTPS Virtual Services. 

The remote web server is not enforcing HSTS, as defined by RFC 6797. 

 

Environment

10.7.2 and above

Cause

The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Resolution

 Add the below  MetaData Header property in  VSI Response.

 

Strict-Transport-Security: max-age=31536000; includeSubDomains

Powered by Wolken Software