Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Vulnerability: HSTS Missing From HTTPS Server
#1
Information 
I have an application built with IW 15.8.2 that is currently undergoing PCI version 3.2.1 DSS level 1 certification and it has failed on the following:
Quote:Part 2. Vulnerability Details
Component: [web address removed]
Compliance Status: Fail
Detected Open Port: TCP port 443
CVE Number (None)
CVSSScore: 5.8
Severity Level: Medium
Vulnerability: HSTS Missing From HTTPS Server
Details Synopsis: The remote web server is not enforcing HSTS.
Impact: The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header
that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade
attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. 
See also :https://tools.ietf.org/html/rfc6797
Data Received: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
Resolution: Configure the remote web server to use HSTS.


Is there an IW setting to enforce this or do I just add the custom header "Strict-Transport-Security: max-age=<expire-time>" in ServerController OnNewSession

TIA
Reply


Messages In This Thread
Vulnerability: HSTS Missing From HTTPS Server - by zsleo - 10-20-2020, 01:50 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)