Vulnerability: HSTS Missing From HTTPS Server - Printable Version +- Atozed Forums (https://www.atozed.com/forums) +-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html) +--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html) +---- Forum: English (https://www.atozed.com/forums/forum-16.html) +----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html) +----- Thread: Vulnerability: HSTS Missing From HTTPS Server (/thread-2068.html) |
Vulnerability: HSTS Missing From HTTPS Server - zsleo - 10-20-2020 I have an application built with IW 15.8.2 that is currently undergoing PCI version 3.2.1 DSS level 1 certification and it has failed on the following: Quote:Part 2. Vulnerability Details Is there an IW setting to enforce this or do I just add the custom header "Strict-Transport-Security: max-age=<expire-time>" in ServerController OnNewSession TIA RE: Vulnerability: HSTS Missing From HTTPS Server - Jose Nilton Pace - 10-20-2020 Hi, read here: https://www.atozed.com/forums/thread-1302-post-4475.html#pid4475 RE: Vulnerability: HSTS Missing From HTTPS Server - Alexandre Machado - 10-26-2020 Hi Zane, You can set this using OnAfterDispatch event. Anyway, we will be introducing an option to set this automatically when using HTTPS, via ServerController properties. It should be available in the next release. Kind regards, RE: Vulnerability: HSTS Missing From HTTPS Server - zsleo - 10-26-2020 (10-26-2020, 10:16 AM)Alexandre Machado Wrote: Hi Zane, Thanks Alexandre. I look forward to it. RE: Vulnerability: HSTS Missing From HTTPS Server - kudzu - 10-27-2020 Zane please check your email. Our admin has been trying to reach you regarding your license. RE: Vulnerability: HSTS Missing From HTTPS Server - Alexandre Machado - 11-10-2020 Hi Zane, please update to IW 15.2.20 which implements the HTST functionality out of the box |